On 17.06.2016 22:39, Александр Кириллов wrote:
yes and no, but faking a valid OCSP response that says good instead of
revoked is also possible ...
Could you please provide any proof for that statement? If it were true
the whole PKI infrastructure should probably be thrown out of the
window. )
question back: is the SHA2 discussion a real security impact or just
paranoia?
so provide a proof of the following statement:
"using OCSP Stapling is as secure as not using OCSP Stapling"
just think of the "parallel universe" called real life ...
do you believe a car dealer that a used car is ok, or do you want a
proof by third party?
(here the car dealer is the server and 3rd pardy is the OCSP server or
CRL provided by the CA)
for me I refuse it or in other words, when there is no OCSP response and
I don't get a CRL from the CA
the SSL-host is blocked;
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
