On Friday, February 1, 2019 at 11:38:40 PM UTC+1, Kurt Roeckx wrote: > On Fri, Feb 01, 2019 at 03:02:17PM -0700, Wayne Thayer wrote: > > It was pointed out to me that the OCSP status of the misissued certificate > > that is valid for over 5 years is still "unknown" despite having been > > revoked a week ago.ntrol 6.8.12? [2] > > If you follow the RFC, the "unknown" answer can mean that it > doesn't know, and that an other option like a CRL can be tried. > With "unknown", it doesn't say anything about being valid or not. > > I don't think that interpretation is very useful. I think that the > OCSP server should know about the certificate before the customer > has the certificate.
FWIW, with ACME and automated instant certificates this may be an interesting challenge for big CAs. While you can design to try to achieve this, there will always be a case of some update not getting through in time, and some members of the high availability OCSP responders pool not having 100% of issued certificates from the last minute (obviously the longer the time from issuance, the sharply lower probability of such an event should be, and after a day it is unwise to not have all answers). > I think that if you have a properly signed > certificate within it's validity period, the OCSP should always > return either "good" or "revoked", never "unknown". Once a > certificate is generated and it's not revoked it's valid. > > Would it be useful to have a requirement in the BRs that the OCSP > server should not answer with "unknown" for an issued certificate > within it's validity period? > > > Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
