Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Mandatory OCSP is security theater? That’s a pretty bold claim.


Mandatory OCSP that fails open when you're offline is security theater.


OCSP fails open by definition because it is a revocation protocol. In the absence of revocation, a valid cert continues to be valid.

The problem here is simply that Apple did not build a short enough timeout into their client.


Make OCSP fail locked and it would be a software imprisonment protocol instead.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: