-
-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should the revocation.RevocationData expire? #22
Comments
Hm, I also see the OCSP response has thisUpdate and nextUpdate thing. I am not sure if I should look at those or not. The current codebase doesn't seem to look at them though |
It's best to use a fresh OCSP response (as close as possible to your signing time to ensure that the certificate was not revoked at the time of signing), the code does not cache the response, but you could do this if you have to sign a lot of documents in a batch. Most CAs do distribute OCSP responses through a Content Deliver Network (CDN) which will cache the response for a period of time. Only a few CAs support OCSP nonce to enforce a fresh request on every request. |
Ah, I thought the As I see this in readme
However looking into source code it doesn't actually work as a cache :) and it's always re-downloaded even when it's there already |
How does the RevocationData cache works?
Should it be cleared once in a while? Is there some expiry after which the OCSP response or CRL response is no longer valid?
In the EU checker, I see
And there, I see the entire validity of the cert. So the OCSP response can always be reused, as long as the certificate stays the same? I think it can, just making sure
The text was updated successfully, but these errors were encountered: