[
https://issues.apache.org/jira/browse/NIFI-14490?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Handermann updated NIFI-14490:
------------------------------------
Status: Patch Available (was: Open)
> Deprecate OCSP Certificate Validation for Removal
> -------------------------------------------------
>
> Key: NIFI-14490
> URL: https://issues.apache.org/jira/browse/NIFI-14490
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The Online Certificate Status Protocol supports validating revocation status
> for client certificates using a standard HTTP request and response protocol.
> The NiFi framework supports optional validation through application
> configuration properties, with an implementation based on the Bouncy Castle
> library. Let's Encrypt is one a several large certificate authorities that is
> [ending support for OCSP|https://letsencrypt.org/2024/12/05/ending-ocsp/].
> Articles such as [The Slow Death of
> OCSP|https://www.feistyduck.com/newsletter/issue_121_the_slow_death_of_ocsp]
> describe the technical issues with implementing the protocol over the years,
> including poor adoption and "fail open" as a frequent default configuration.
> Although X.509 Client Certificate authentication should remain supported,
> custom OCSP validation should be deprecated and targeted for removal in a
> subsequent minor framework version. Given the infrastructure required, and
> alternative solutions such as short-lived certificates, OCSP support should
> not be maintained.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
