Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-3314

OCSP Archive Cutoff

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.0.3
    • Component/s: None
    • Labels:
      None

      Description


      RFC6960:
      4.4.4. Archive Cutoff"
      <snip>
      To illustrate, if a server is operated with a 7-year retention
      interval policy and status was produced at time t1, then the value
      for ArchiveCutoff in the response would be (t1 - 7 years).


      If t1 is the date when the OCSP response was signed, archiveCutoff denotes the date until which revocation information
      is available. In your example, a response signed (and sent) at 2013-11-13 indicating the status "good" for a certificate
      that expired before 2006-11-13 is not reliable, because the information base of the OCSP responder does not
      (necessarily) include revocation information of that certificate.


      For EJBCA that means that:

      • If a certificate is expired when answering OCSP request we should include the Archive Cutoff extension (if not configured to exclude it see below)
      • We need a configurable value for "ocsp.expiredcert.retentionperiod". With a decent default value, say 1 year.
      • If ocsp.expiredcert.retentionperiod is set to -1 we should not include the Archive Cutoff extension (to be able to be completely backwards compatible)
      • Documentation about this change in UPGRADE notes.
      • Junit test

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              aveen Aveen Ismail (Inactive)
              Reporter:
              tomas Tomas Gustavsson
              Verified by:
              Tomas Gustavsson
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: