On 01/04/15 06:16, Carl Mehner wrote:
<snip>
If we do want to put these type of considerations in the draft,
maybe the security considerations section is the best place.
Something along the lines of:
When preparing to use the new certificate received from a issuance or
refresh, the client software should check that the OCSP response from
the certificate authority is valid before enabling the new certificate
for use in the server system. If the OCSP response is requested too
early by the server system, a 'revoked' or 'unknown' OCSP response may
be cached and cause browsers to fail connection attempts.
The CA's OCSP infrastructure might consist of many servers that are not
necessarily perfectly synchronized. So the ACME client may be able to
obtain a "good" OCSP response for a recently issued certificate, but
some other clients may get a different response.
Only the ACME server (the CA) could possibly know for certain that all
of the servers in its OCSP infrastructure have become aware of the
recently issued certificate.
Perhaps an ACME client should be able to ask an ACME server "Is your
OCSP infrastructure fully aware of this cert yet?"
Or perhaps the ACME draft should simply say that TLS servers SHOULD
enable OCSP Stapling, so that TLS clients are less likely to encounter a
"requested too early" OCSP response.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
