Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I have always been annoyed by OCSP being HTTP. It is really the fault of the standard that this is the way we revoke certificates. I basically agree that Apple should just be downloading revoked certificates and checking them locally. This is what we are doing at various SaaS companies that have to check these in order to avoid downtime. We have also mistakenly failed-closed. We now default to fail-open but customers have the option to change that if they are paranoid.


Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: