Open
Bug 1050451
Opened 11 years ago
Updated 2 years ago
mozilla::pkix::VerifyEncodedOCSPResponse doesn't return validity period of the signer cert
Categories
(Core :: Security: PSM, defect, P3)
Core
Security: PSM
Tracking
()
NEW
People
(Reporter: briansmith, Unassigned)
References
Details
(Keywords: helpwanted, Whiteboard: [psm-backlog])
mozilla::pkix::VerifyEncodedOCSPResponse returns the thisUpdate and nextUpdate times from the OCSP response, which a used by the OCSP response caching logic to determine whether and/or for how long to cache the response. However, the validity period of the signer certificate (whether it is the issuer, or a delegated responder) is also a factor in how a response should be used and cached.
I propose that we change VerifyEncodedOCSPResponse, replacing the thisUpdate and nextUpdate output parameters with noBefore and notAfter output parameters, where notBefore = max(signer.notBefore, response.thisUpdate) and notAfter = min(signer.notAfter, response.nextUpdate), with the edge cases of the OCSP response fields (e.g. missing nextUpdate) handled the same way we currently do.
Reporter | ||
Updated•10 years ago
|
Keywords: helpwanted
Whiteboard: [good next bug]
![]() |
||
Updated•9 years ago
|
Whiteboard: [good next bug] → [psm-backlog]
![]() |
||
Updated•7 years ago
|
Priority: -- → P3
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•