I haven't scanned OCSP responders in a while, but I'm sure there are still CAs signing OCSP responses with SHA-1, because it was never forbidden, and CAs will keep doing something dangerous as long as it's not forbidden.
-
-
Show this thread
-
Hopefully the SHA-1 OCSP responses are all signed from a sub-CA technically constrained to OCSP (as required by Mozilla policy) so it can't be used to forge an actual certificate.
Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.