[SERVER-48577] Investigate OCSP Revoked Created: 03/Jun/20  Updated: 06/Dec/22

Status: Backlog
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Shreyas Kalyan Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
is related to SERVER-49218 Determine validity period for OCSP re... Blocked
Assigned Teams:
Server Security
Sprint: Security 2020-06-29, Security 2020-07-27
Participants:
Linked BF Score: 0

 Description   

If an OCSP response says revoked, the timestamp on that response is not checked. Currently when the timestamp information is not checked, the server staples the response for 10 minutes and refreshes the staple at 5 minutes. The client caches the response object for 10 minutes.

If the nextUpdate field is set in the status response object - the server and client should use the time prescribed on the status response object.

If no nextUpdate field is set in the status response object in client OCSP acquisition and verification, then the client should choose a refresh period depending on the revocation status of the certificate.

This should be investigated with guidance from the OCSP RFC here to see what the proper format of OCSP responses are when the status is revoked.


Generated at Thu Feb 08 05:17:31 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.