Ilari Liusvaara <ilariliusva...@welho.com> writes: > > On Fri, Apr 21, 2017 at 10:52 AM, Nikos Mavrogiannopoulos <n...@redhat.com> > > wrote: > > > > > My issue with OCSP when used under TLS was how to determine the > > > validity of the response when the nextUpdate field is missing. I've > > > added some text for that introducing an (arbitrary) upper limit at: > > > https://github.com/tlswg/tls13-spec/pull/974 ... > Anybody happens to know a CA that doesn't put NextUpdate in? If so, > what's the OCSP issuance frequency?
The definition is: If nextUpdate is not set, the responder is indicating that newer revocation information is available all the time. I think 15 days is much too long. I would suggest wording it more like: If the nextUpdate value is omitted, the server SHOULD refresh the response so that the thisUpdate field is no more than 24 hours in the past. and not place any requirement on the client; if the client wants fresher information than the server provides, it can go fetch it itself. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
