Type: New Feature
Affects Version/s: None
Fix Version/s: EJBCA 6.0.3
4.4.4. Archive Cutoff"
To illustrate, if a server is operated with a 7-year retention
interval policy and status was produced at time t1, then the value
for ArchiveCutoff in the response would be (t1 - 7 years).
If t1 is the date when the OCSP response was signed, archiveCutoff denotes the date until which revocation information
is available. In your example, a response signed (and sent) at 2013-11-13 indicating the status "good" for a certificate
that expired before 2006-11-13 is not reliable, because the information base of the OCSP responder does not
(necessarily) include revocation information of that certificate.
For EJBCA that means that:
- If a certificate is expired when answering OCSP request we should include the Archive Cutoff extension (if not configured to exclude it see below)
- We need a configurable value for "ocsp.expiredcert.retentionperiod". With a decent default value, say 1 year.
- If ocsp.expiredcert.retentionperiod is set to -1 we should not include the Archive Cutoff extension (to be able to be completely backwards compatible)
- Documentation about this change in UPGRADE notes.
- Junit test