Hi all,
I'm finishing my High Available setup of OCSP Response servers (Array).
I'm at the point that I have to configure my AIA (Authority Information Access) url.
I've noticed that all configurations in the help files and manuals online at technet are mentioning something like http://yourserver.contoso.com/ocsp, using http but never https.
Nowhere it's mentioned that it would be a best practice to use https (instead of http).
I've been doing some research on this, thinking of scenario's where our HA OCSP Responder (only to check our own client certificates) would actually be running on a public IP, or if there would be "man in the middle" attack scenario's to take in consideration. I've found one scenario in which one can tamper with the response message:http://www.thoughtcrime.org/papers/ocsp-attack.pdf
But as an "official" or good answer from an OCSP responder is signed by the CA (responder), I think it's not needed to add SSL in the traffic, as it would not add additional security at all (no benifit).
Note that our OCSP servers would never be running on public address, it would be offered using a reverse proxy + web application firewall. But in large networks like in my company, even for the internal network https is considered as the standard.
Please share your thoughts on this topic :)
Kind Regards,
David