cfssl icon indicating copy to clipboard operation
cfssl copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

Responder should return unauthorized for a response with NextUpdate in the past

Open rolandshoemaker opened this issue 9 years ago • 0 comments

RFC 2560 (and 6960) specifies [OCSP r]esponses whose nextUpdate value is earlier than the local system time value SHOULD be considered unreliable. RFC 5019 also states in order to ensure the database of revocation information does not grow unbounded over time, the responder MAY remove the status records of expired certificates.

Since the window between a nextUpdate in the past and when a response can be removed is somewhat ambiguous it would be a good idea to add a config var to the responder specifying if it should happly serve stale responses, how long it should be allowed to serve stale responses for, or not to serve stale responses at all.

rolandshoemaker avatar Feb 25 '16 23:02 rolandshoemaker