On 10/28/2015 11:44 AM, Jakob Bohm wrote: > On 27/10/2015 21:21, Walter H. wrote: >> ... >>> >> OCSP must not be https ... >> the same with CRL download ... > Really, I thought that was only a recent cop out rule to > cater to clients with inferior SSL libraries that can't > handle the recursion. > > Of cause one should not initiate an HTTPS connection to > a server to (directly or indirectly) validate the servers > certificate for another such connection, but I know no > inherent reason not to use HTTPS for CRL and OCSP access > as long as infinite recursion is avoided, preferably > through the choice of server certificates. There are environments where https must be used for OCSP, due to policy fiat and/or firewall restrictions. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
