[jira] [Commented] (NIFI-14490) Deprecate OCSP Certificate Validation for Removal

Tue, 22 Apr 2025 08:27:20 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-14490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17946454#comment-17946454
 ] 

ASF subversion and git services commented on NIFI-14490:
--------------------------------------------------------

Commit 18cc662b5af718dce7d207ba38dd1dc2206ec0c3 in nifi's branch 
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=18cc662b5a ]

NIFI-14490 Deprecated OCSP Certificate Validation for Removal

Signed-off-by: Pierre Villard <[email protected]>

This closes #9890.


> Deprecate OCSP Certificate Validation for Removal
> -------------------------------------------------
>
>                 Key: NIFI-14490
>                 URL: https://issues.apache.org/jira/browse/NIFI-14490
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Major
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> The Online Certificate Status Protocol supports validating revocation status 
> for client certificates using a standard HTTP request and response protocol.
> The NiFi framework supports optional validation through application 
> configuration properties, with an implementation based on the Bouncy Castle 
> library. Let's Encrypt is one a several large certificate authorities that is 
> [ending support for OCSP|https://letsencrypt.org/2024/12/05/ending-ocsp/]. 
> Articles such as [The Slow Death of 
> OCSP|https://www.feistyduck.com/newsletter/issue_121_the_slow_death_of_ocsp] 
> describe the technical issues with implementing the protocol over the years, 
> including poor adoption and "fail open" as a frequent default configuration.
> Although X.509 Client Certificate authentication should remain supported, 
> custom OCSP validation should be deprecated and targeted for removal in a 
> subsequent minor framework version. Given the infrastructure required, and 
> alternative solutions such as short-lived certificates, OCSP support should 
> not be maintained.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to