Should the revocation.RevocationData expire? #22
Comments
|
Hm, I also see the OCSP response has thisUpdate and nextUpdate thing. I am not sure if I should look at those or not. The current codebase doesn't seem to look at them though |
|
|
Acrobat shows the OCSP thisUpdate/nextUpdate here 
I cannot try now what will happen if I use old one when trying to sign the document with newer timestamp. :/ |
|
It's best to use a fresh OCSP response (as close as possible to your signing time to ensure that the certificate was not revoked at the time of signing), the code does not cache the response, but you could do this if you have to sign a lot of documents in a batch. Most CAs do distribute OCSP responses through a Content Deliver Network (CDN) which will cache the response for a period of time. Only a few CAs support OCSP nonce to enforce a fresh request on every request. |
|
Ah, I thought the As I see this in readme However looking into source code it doesn't actually work as a cache :) and it's always re-downloaded even when it's there already |
How does the RevocationData cache works?
Should it be cleared once in a while? Is there some expiry after which the OCSP response or CRL response is no longer valid?
In the EU checker, I see
And there, I see the entire validity of the cert. So the OCSP response can always be reused, as long as the certificate stays the same? I think it can, just making sure
The text was updated successfully, but these errors were encountered: