Validating OCSP response signatures

[Tim Brown <tmb () 65535 com>]

Hi,

Do we consider failing (by policy) to validate the signature of OCSP responses 
to be a vulnerability? I did nudge SMC on Twitter but he was reticent to give 
a definitive view? Affects open and closed source code bases.

Tim
-- 
Tim Brown
<mailto:tmb () 65535 com>

Attachment: signature.asc
Description: This is a digitally signed message part.