← Back to context Comment by johncolanduoni 4 years ago Mandatory OCSP is security theater? That’s a pretty bold claim. 3 comments johncolanduoni Reply josephcsible 4 years ago Mandatory OCSP that fails open when you're offline is security theater. snowwrestler 4 years ago OCSP fails open by definition because it is a revocation protocol. In the absence of revocation, a valid cert continues to be valid.The problem here is simply that Apple did not build a short enough timeout into their client. anticensor 4 years ago Make OCSP fail locked and it would be a software imprisonment protocol instead.
josephcsible 4 years ago Mandatory OCSP that fails open when you're offline is security theater. snowwrestler 4 years ago OCSP fails open by definition because it is a revocation protocol. In the absence of revocation, a valid cert continues to be valid.The problem here is simply that Apple did not build a short enough timeout into their client. anticensor 4 years ago Make OCSP fail locked and it would be a software imprisonment protocol instead.
snowwrestler 4 years ago OCSP fails open by definition because it is a revocation protocol. In the absence of revocation, a valid cert continues to be valid.The problem here is simply that Apple did not build a short enough timeout into their client. anticensor 4 years ago Make OCSP fail locked and it would be a software imprisonment protocol instead.
anticensor 4 years ago Make OCSP fail locked and it would be a software imprisonment protocol instead.
Mandatory OCSP that fails open when you're offline is security theater.
OCSP fails open by definition because it is a revocation protocol. In the absence of revocation, a valid cert continues to be valid.
The problem here is simply that Apple did not build a short enough timeout into their client.
Make OCSP fail locked and it would be a software imprisonment protocol instead.