While inspecting my CA-approved cert, I noticed the following oddities:
Extensions/CRL Distribution Points:
Not Critical
URI: http://crl2.alphassl.com/gs/gsalphasha2g2.crl
Extensions/Authority Information Access:
Not Critical
CA Issuers: URI: http://secure2.alphassl.com/cacert/gsalphasha2g2r1.crt
OCSP: URI: http://ocsp2.globalsign.com/gsalphasha2g2
Shouldn't the OCSP information be published via HTTPS (i.e., protected with TLS), to protect against MITM? Is that field just noise that shouldn't be used by a client?
I know that Is publishing CRLs over HTTP a potential vulnerability? explains that CRLs are always signed, so it is not a vulnerability to publish CRLs over HTTP. What about OCSP?
(Somewhat related to Does any technology prevent a CA unilaterally revoking a certificate?)