Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-48577

Investigate OCSP Revoked

    XMLWordPrintableJSON

Details

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Major - P3 Major - P3
    • None
    • None
    • Security
    • None
    • Server Security
    • Security 2020-06-29, Security 2020-07-27
    • 0

    Description

      If an OCSP response says revoked, the timestamp on that response is not checked. Currently when the timestamp information is not checked, the server staples the response for 10 minutes and refreshes the staple at 5 minutes. The client caches the response object for 10 minutes.

      If the nextUpdate field is set in the status response object - the server and client should use the time prescribed on the status response object.

      If no nextUpdate field is set in the status response object in client OCSP acquisition and verification, then the client should choose a refresh period depending on the revocation status of the certificate.

      This should be investigated with guidance from the OCSP RFC here to see what the proper format of OCSP responses are when the status is revoked.

      Attachments

        Activity

          People

            backlog-server-security Backlog - Security Team
            shreyas.kalyan@mongodb.com Shreyas Kalyan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: