boulder icon indicating copy to clipboard operation
boulder copied to clipboard
verified publisher icon letsencrypt

Prefix akamai cache tags to OCSP responses

Open jcjones opened this issue 4 years ago • 3 comments

This is a follow-on to #5736.

We set the cache tag to a two-character string of the last two hex characters of the serial, without a prefix.

https://github.com/letsencrypt/boulder/blob/7a7f436212bd040a09a5d0ef246f6dc76097d216/cmd/ocsp-responder/main.go#L174-L180

Akamai's cache tag system is unique per-account, so we should optimally configure a prefix to that string so that we can have tags which are for each operational environment. (See the Best Practice "Use cache tag nomenclature" which advises this as well).

jcjones avatar Nov 09 '21 21:11 jcjones

Good plan, thanks!

So it seems like the prefix should be a config field, so we can distinguish staging and prod.

jsha avatar Nov 09 '21 22:11 jsha

Or it could be the issuer ID.

jcjones avatar Nov 09 '21 22:11 jcjones

Ah, that's an awesome idea!

jsha avatar Nov 09 '21 23:11 jsha