The simple answer as to why OCSP isn't itself via HTTPS is that this would be a cyclical dependency: if you need to accept a certificate, you need to confirm its continuing validity. If you have to use a connection relying on that same logic to confirm validity, at what point are you then able to make a connection? The cryptographic component of OCSP, as WIkipedia points out, is providing a validating signature with the response.
On 9 Mar 2011, at 09:30, erikmccaskey64 wrote: > But: with wireshark i can see some "OCSP" packets [ http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol ] > > > Question: What are these packets? Why aren't there in HTTPS? [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
