Open Bug 1050451 Opened 8 years ago Updated 2 months ago
Encoded OCSPResponse doesn't return validity period of the signer cert
mozilla::pkix::VerifyEncodedOCSPResponse returns the thisUpdate and nextUpdate times from the OCSP response, which a used by the OCSP response caching logic to determine whether and/or for how long to cache the response. However, the validity period of the signer certificate (whether it is the issuer, or a delegated responder) is also a factor in how a response should be used and cached. I propose that we change VerifyEncodedOCSPResponse, replacing the thisUpdate and nextUpdate output parameters with noBefore and notAfter output parameters, where notBefore = max(signer.notBefore, response.thisUpdate) and notAfter = min(signer.notAfter, response.nextUpdate), with the edge cases of the OCSP response fields (e.g. missing nextUpdate) handled the same way we currently do.
Whiteboard: [good next bug]
Whiteboard: [good next bug] → [psm-backlog]
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.