[notanote]

OCSP is done over plain HTTP (for obvious reasons), so the OCSP provider doesn’t have exclusive access to this data. There is not much value there for DigiCert and others when every ISP can potentially sell the same data.

OCSP stapling helps maintain privacy, so eg. ESNI isn’t completely pointless when stapling is used.

[delusional]

What sort of logic is that. "This data isn't private because we just broadcast it to the entire internet on your behalf" doesn't strike me as a valid argument against considering privacy.

If it is I'm going to use this way more in all the compliance meetings I attend. Oh, you're worried about the secrecy of all this proprietary private information we're holding? Don't worry, I'll just wrap it in a torrent, broadcast it to the DHT, and _now_ it's no longer private, so the secrecy doesn't matter.

[charcircuit]

>OCSP is done over plain HTTP (for obvious reasons)

It's not obvious to me. Why can't it be done over HTTPS? From what I can tell nothing stops you from doing that.

[nyuszika7h]

If OCSP was done over HTTPS, you'd end up with an infinite loop - you'd have to do an OCSP query to check that the OCSP server's certificate is not revoked, and so on.

[charcircuit]

Sure HTTPS wouldn't help if an attacker had the cert for the OCSP server, but I feel like that is rare to happen compared to other certs being revoked and I believe there are privacy / anticensorship benefits you ran get from https.

To me it seems simple to just skip an OSCP check compared to having to use HTTP.

[minusf]

i think because what is asked for is a list of revoked certs, and the connection being used could be already on that blacklist. the list must available without the involvement of what is being checked.

[charcircuit]

That's not what OCSP is. OCSP just lets you query the status of a cert.