Confirmed users
563
edits
NSS OCSP Brainstorming: Difference between revisions
Jump to navigation
Jump to search
→HTTP POST vs. HTTP GET
| Line 47: | Line 47: | ||
Using POST prevents caching of OCSP responses in proxy servers. | Using POST prevents caching of OCSP responses in proxy servers. | ||
It has been proposed that NSS shall support HTTP GET. | It has been proposed that NSS shall support HTTP GET. An application shall be able to instruct NSS to use GET by default. | ||
It is unclear whether all deployed OCSP servers fully support HTTP GET. If there are doubts, NSS would have to fall back to use POST on failures. This would cause additional traffic for those servers who do not support GET. Ideally NSS might remember (during a process lifetime) which servers fail to support POST and might use GET for the remainder of the session. (Is this smartness really required? Opinions?) | |||
When using GET we open a new class of problem for the OCSP-client to OCSP-server communication, because responses can originate from a proxy server cache. | |||
NSS has a requirement that a response is fresh. As of today this means, the timestamp contained in a signed OCSP response must be at least 24 hours old. | |||
A problem arises in the following scneario: | |||
* OCSP server issues a OCSP response | |||
* the proxy server decides the response shall be valid for more then 24 hours | |||
* after 24 hours an NSS client receives the old response from a proxy cache and rejects the response as invalid, because the timestamp is not fresh | |||
This is a small problem in relaxed mode. NSS will ignore the bad response. However, in the case of a revocation, it disables the CA's ability to push out a new response. | |||
In strict mode the situation is worse. NSS will reject the old response and give up, even thought the real OCSP server would have been available to provide a more recent answer. | |||
How should this problem get solved? | |||
Another topic: It has been proposed, CAs might produce bulk responses, like a single response for a group of 50 certificates. It has been said, a proxy cache might be able to carry only a single response for this group. However, it seems this will not work, because the requests for each individual cert will look completely different, and therefore the proxy server will see different "keys" and will be unable to group those requests and responses. | |||