On 16/04/2020 00:04, Nick Lamb via dev-security-policy wrote:
Specifically: You should cache your stapled GOOD answers in durable
storage if practical, and when periodically refreshing you should report
non-GOOD answers to the operator (e.g. logging them as an ERROR
condition) but always continue to present clients with the last GOOD
answer until it actually expires even if you receive newer non-GOOD
OCSP responses.

For the avoidance of doubt (and my own poor brain) - does 'GOOD' here mean OCSP status code 'successful' (0) AND returning a 'good' status for the certificate, or does it just mean status code 'successful'? The GTS case here was returning OCSP exception status 'unauthorized' (6).

I would have thought that an OCSP-stapling implementation which got an OCSP status code 'successful' (0) with a 'revoked' status for the certificate would want to pass that on to the client, replacing any prior OCSP successful/status-good report, whether that prior report was still valid.

But I'm with you on the implementation retaining the last successful OCSP report until it expires (I'd go further: if I got a successful/revoked response, followed by a successful/good response later on, I'd be flagging that to the CA as a serious problem, and retaining the successful/revoked ones until _it_ expires)

Cheers,

Neil

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to