Comment by snowwrestler
4 years ago
OCSP fails open by definition because it is a revocation protocol. In the absence of revocation, a valid cert continues to be valid.
The problem here is simply that Apple did not build a short enough timeout into their client.
Make OCSP fail locked and it would be a software imprisonment protocol instead.