-
Type: Task
-
Resolution: Unresolved
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: Security
-
Labels:None
-
Server Security
-
Security 2020-07-27
As per RFC 6960, an OCSP response can have an empty nextUpdate field. If it is empty, this indicates that newer status information is available immediately from the OCSP responder.
If when stapling a CERT_STATUS_GOOD status response object with no nextUpdate field set, the server should not staple if a driver would reject the response due to the age of the response. The server should discard any responses that would be rejected regardless of whether the server was able to obtain a new response.
If stapling a CERT_STATUS_REVOKED status response object with no nextUpdate field set, the server should use an arbitrary refresh interval to update the stapled response.
If clients and drivers decide to reject all stapled responses with an empty nextUpdate field, the server should never staple such responses.
We should determine the correct and expected behavior for all responses without a nextUpdate field.
- related to
-
SERVER-48577 Investigate OCSP Revoked
- Backlog