There are no risks at all. OCSP was designed as external (public) web service to server client requests over large internet.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

its a HTTP connection over the internet , can we have HTTPS server for CDP , AIA and OCSP ?

Hi, unfortunately OCSP does not appear to support HTTPS.

OCSP Cannot use https - it would introduce a circular depencency. OCSP responses are signed with the responders certificate. So, to perform revocation checking of a certificate you would contact the ocsp, and get a signed answer. Then you would need to perform a revocation check on the certificate that signed the response, and the response would again be signed, you would need to verify... and so on. Really, revocation information is not sensitive data and does not need protecting. The process is performed anonymously, so there would be nothing to learn if you recorded the traffic. [Edit] You need, of course, take proper measures to harden the service, just like anything that you put on the public internet. But there is no use for encrypting the traffic.

Hi, unfortunately OCSP does not appear to support HTTPS. really, OCSP MUST NOT use HTTPS at all.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi, unfortunately OCSP does not appear to support HTTPS. really, OCSP MUST NOT use HTTPS at all. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki I noticed that the Windows Server 2008 SP1 Security Guide WRONGLY recommends using SSL for OCSP...(page 170) Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

its a HTTP connection over the internet , can we have HTTPS server for CDP , AIA and OCSP ? plain and simple: NO.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Dear All , What are the risks associated of having online responder over internet .. how to use https connection for oscp ?? regards Shaun