-
Type: Improvement
-
Resolution: Unresolved
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: Security
-
Labels:None
-
Server Security
-
Security 2020-06-29, Security 2020-07-27
-
0
If an OCSP response says revoked, the timestamp on that response is not checked. Currently when the timestamp information is not checked, the server staples the response for 10 minutes and refreshes the staple at 5 minutes. The client caches the response object for 10 minutes.
If the nextUpdate field is set in the status response object - the server and client should use the time prescribed on the status response object.
If no nextUpdate field is set in the status response object in client OCSP acquisition and verification, then the client should choose a refresh period depending on the revocation status of the certificate.
This should be investigated with guidance from the OCSP RFC here to see what the proper format of OCSP responses are when the status is revoked.
- is related to
-
SERVER-49218 Determine validity period for OCSP responses without nextUpdate
- Blocked