4.1. Security Considerations for status_request_v2

If a client requests an OCSP response, it must take into account that an attacker's server using a compromised key could (and probably would) pretend not to support the extension. In this case, a client that requires OCSP validation of certificates SHOULD either contact the OCSP server directly or abort the handshake.

Use of the OCSP nonce request extension (id-pkix-ocsp-nonce) may improve security against attacks that attempt to replay OCSP responses; see Section 4.4.1 of [RFC6960] for further details.

This extension allows the client to send arbitrary data to the server. The server implementers need to handle such data carefully to avoid introducing security vulnerabilities.

The security considerations of [RFC6960] apply to OCSP requests and responses.