Am 06.09.2015 um 15:06 schrieb Kaspar Brand:
Taking into account that OCSP responders from the big players are running on fairly robust infrastructure these days (cf. the sr.symcd.com example, aka ocsp.verisign.net, aka ocsp.ws.symantec.com.edgekey.net), I'm not buying the "OCSP is unreliable" statement in this wholesale form.
"fairly robust" don't change the fact that they would be a perfect DDOS target and so an attacker would point one botnet to your server and the other to the matching OCSP responder - not to forget how many sites you can DDOS in case of clients would enforce OCSP and hard-fail
currently they are not a target for such attacks
signature.asc
Description: OpenPGP digital signature
