Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-49218

Determine validity period for OCSP responses without nextUpdate

    XMLWordPrintableJSON

Details

    • Icon: Task Task
    • Resolution: Unresolved
    • Icon: Major - P3 Major - P3
    • None
    • None
    • Security
    • None
    • Server Security
    • Security 2020-07-27

    Description

      As per RFC 6960, an OCSP response can have an empty nextUpdate field. If it is empty, this indicates that newer status information is available immediately from the OCSP responder.

      If when stapling a CERT_STATUS_GOOD status response object with no nextUpdate field set, the server should not staple if a driver would reject the response due to the age of the response. The server should discard any responses that would be rejected regardless of whether the server was able to obtain a new response.

      If stapling a CERT_STATUS_REVOKED status response object with no nextUpdate field set, the server should use an arbitrary refresh interval to update the stapled response.

      If clients and drivers decide to reject all stapled responses with an empty nextUpdate field, the server should never staple such responses.

      We should determine the correct and expected behavior for all responses without a nextUpdate field.

      Attachments

        Activity

          People

            backlog-server-security Backlog - Security Team
            shreyas.kalyan@mongodb.com Shreyas Kalyan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: