In the default configuration, the online responder returns the status "Good" for requested certificates that do not appear on one of the configured revocation lists.
This can be problematic because the online responder has no knowledge of certificates issued by the certification authorities. If an attacker succeeds in issuing a certificate using the private key of the certification authority without their knowledge, this would not be detected by the online responder, and would also be reported in the Audit log show up as "Good".
Continue reading „Deterministisches „Good“ für den Onlineresponder (OCSP) konfigurieren“
English 
Deutsch