There is nothing in the plain OCSP that prevents the responder server from logging the request along with the originating IP. Any claims that a particular server doesn't do so is either just an assumption or based on trust alone. This is why OCSP-stapling is preferred against plain OCSP in browsers and also why plain OCSP can be disabled. In this particular case, trustd and other system daemons are known to skip VPN and firewall blocks - so it's mandatory information leak.
No comments yet.