[SERVER-49218] Determine validity period for OCSP responses without nextUpdate Created: 30/Jun/20  Updated: 06/Dec/22

Status: Blocked
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Shreyas Kalyan Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
related to SERVER-48577 Investigate OCSP Revoked Backlog
Assigned Teams:
Server Security
Sprint: Security 2020-07-27
Participants:

 Description   

As per RFC 6960, an OCSP response can have an empty nextUpdate field. If it is empty, this indicates that newer status information is available immediately from the OCSP responder.

If when stapling a CERT_STATUS_GOOD status response object with no nextUpdate field set, the server should not staple if a driver would reject the response due to the age of the response. The server should discard any responses that would be rejected regardless of whether the server was able to obtain a new response.

If stapling a CERT_STATUS_REVOKED status response object with no nextUpdate field set, the server should use an arbitrary refresh interval to update the stapled response.

If clients and drivers decide to reject all stapled responses with an empty nextUpdate field, the server should never staple such responses.

We should determine the correct and expected behavior for all responses without a nextUpdate field.


Generated at Thu Feb 08 05:19:16 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.