THANK YOU. I also see no reason that OCSP checks cannot support both HTTP and HTTPS. If there is some reason then the protocol should be split into two, one for unencrypted checks for things like SSL certs, and another for all other/ dev cert checks over HTTPS.
I see no reason why OCSP checks on developer certificates cannot be encrypted. This whole "oh no there could be a loop for a SSL cert check" argument seems like gaslighting. Why can't the client know if it wants to access an OCSP server using HTTP or HTTPS, and default to HTTPS when possible?
