[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

From: Petr Pisar
Subject: Re: [Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling
Date: Wed, 19 Aug 2015 18:19:16 +0200
User-agent: Mutt/1.5.23 (2014-03-12)

On Wed, Aug 19, 2015 at 03:37:06PM +0000, Tim Ruehsen wrote:
> Regarding MITM and other attacks... did you notice that OCSP responder URLs
> are HTTP (plain text) will all the insecurity ? I never saw a HTTPS URL, did
> you ?
There is no need for HTTPS. The OCSP response is signed by the CA's OCSP
responder. So the problem of OCSP response integrity reduces to verifying the
OCSP response signature. Of course to verify the signature, one needs to
verify OCSP responder's certificate. But this is the same story as with CRLs.

-- Petr

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]