Questions tagged [ocsp]
Online Certificate Status Protocol (OCSP) is a protocol used for validation (ie revocation status) of X509 certificates in a PKI system as a real-time alternative to CRLs.
80 questions
1
vote
1
answer
52
views
What is the correct OCSP response for unknown issuer?
I have a hard time understanding the OCSP RFC 6960.
Two basic questions:
Simple: What is the canonically correct way of answering to
an OCSP request for an unknown (end-entity) certificate serial ...
- 18.3k
4
votes
2
answers
806
views
Let's Encrypt stopping OCSP and using CRL's instead: what about stapling?
The Let's Encrypt CA has indicated that they won't support OCSP anymore, citing privacy concerns, among other issues related to running the service. OCSP requires the user agent / browser to contact ...
- 5,065
0
votes
1
answer
184
views
Why is Apple able to encrypt their OCSP requests but others (Amazon Trust Services, Comodo, DigiCert, GlobalSign, Sectigo, etc) cannot?
Apple hosts https://ocsp2.apple.com even though it’s supposedly not possible to encrypt OCSP requests, which supposedly need to be sent unencrypted over port 80. How does Apple use HTTPS anyway and ...
- 340
1
vote
0
answers
822
views
Android Certificate Revocation Checking
I am hoping I can leverage everyone's knowledge on this one as I am at a lose.
I have an Android 10 Device connecting to a containerized web application that is secured by a custom Certificate ...
- 11
0
votes
1
answer
500
views
Why is OCSP must-staple secure?
Trying to understand OCSP stapling and OCSP must-staple, I've read multiple explanations, but I still don't understand what makes OCSP must-staple secure.
My understanding is that, during TLS, the ...
- 824
0
votes
1
answer
186
views
Advantage of using OCSP stapling compared to frequently renewed TLS certificates without OCSP
What's the advantage of using OCSP stapling with some OCSP response validity period compared to a TLS certificate with the same short validity period which would have to be renewed at the same ...
- 103
5
votes
1
answer
383
views
Do VPNs log and analyze OCSP requests?
I am a privacy-conscious user currently living in Russia where the Internet is censored and monitored by the Russian state. Russian ISPs are legally required to log and store all users’ Internet ...
- 51
1
vote
1
answer
356
views
How does the client get the certificate (and public key) of the delegated authority (OCSP responder) to confirm the response in OCSP?
I have one question regarding the OCSP protocol to check if the certificate is revoked or not. The question is about checking whether the intermediate CA certificate immediately below the root CA is ...
- 113
1
vote
0
answers
393
views
Any vulnerability of OCSP for proof of concept
I have an assignment in which I have to implement OCSP and do a proof of concept of a vulnerability.
My idea was to implement OCSP without using a nonce (this is done) and then perform a replay attack....
- 11
1
vote
0
answers
247
views
Implement Replay attacks in python [closed]
For an assignment I have to implement a proof of concept and (optionally attack it). The part of OCSP is working so far. I have a client that sends the request to a server, the server verifies if the ...
- 11
2
votes
0
answers
407
views
OCSP Must-Staple test website?
I'm interested in the status of OCSP respect in modern browsers (particularly the one I'm using right now).
Is there any website that will allow me to test how my browser treats the status_request ...
0
votes
1
answer
319
views
Exposing ADCS OCSP on the Public Internet
I am building a Certificate Authority using Windows Server ADCS as a 'Standalone' CA but my application would be greatly improved if I can utilise OCSP.
Is the ADCS Online Responder Role Service ...
- 61
0
votes
0
answers
683
views
Why my certificate does not have OCSP must-staple extension even when CSR contains it, is OCSP must-staple still used?
We received recently security report with [low] security issue: Missing "Must-Staple" extension on certificate.
With help of old article oscp-must-staple I managed to create CRA with ...
1
vote
1
answer
660
views
Is a OCSP request verified via TLS?
I was wondering if the connection towards the ocsp responder/server is TLS encrytped itself. Meaning that the client requesting a validity check for a certificate verifies the OCSPs server certificate?...
- 65
0
votes
2
answers
665
views
Is Mac OS Big Sur Spying?
I would like to know if macOS "Big Sur" sends unencrypted OCSP requests. I am a newbie and not aware of technical stuff, but when I came across Jeffrey Paul's article, I am a bit concerned ...
