[cabfpub] Compatibility issue with OCSP responses expiring after signer cert expires

Brian Smith brian at briansmith.org
Thu Jul 31 14:59:12 UTC 2014


Hi,

I have learned that at least one (and I believe all, or almost all)
web servers that implement OCSP stapling ignore the expiration time of
the signer certificate (either the delegated OCSP response signer
certificate, or the certificate issuer's certificate) when caching
OCSP responses. Consequently, if the signer certificate expires before
the OCSP response expires (i.e. before the date in the OCSP response's
nextUpdate), the web server will staple an OCSP response that some web
browsers (particularly, Mozilla Firefox) will reject due to the
expired signer certificate.

To work around this issue, please ensure that all your OCSP responses
include the nextUpdate time (i.e. do not treat it as optional, even
though the OCSP specification says it is optional) and ensure that the
notAfter time of the responder certificate is later than the
nextUpdate time of the OCSP response.

Note that in Firefox 31, the time at which Firefox considers the OCSP
response signer certificate to be expired has changed. Previously,
Firefox compared the producedAt time given in the OCSP response to the
notBefore/notAfter times in the signer certificate. Now, Firefox
compares the time at which the certificate is being validated (i.e.
the current time) to the notBefore/notAfter time in the signer
certificate*. Consequently, Firefox will consider an OCSP response
signer certificate to be expired sooner in Firefox 31 and later.

If/when browsers implement the Must-Staple feature, I expect them to
work much like Firefox does in this respect, at least for Must-Staple
certificates. Firefox validates stapled OCSP responses more strictly
than other browsers primarily so that we all can learn about the
compatibility issues that will affect Must-Staple.

For a real-world example of this causing a problem with the
combination of Firefox, Microsoft IIS, and GlobalSign's OCSP
responder, see
https://bugzilla.mozilla.org/show_bug.cgi?id=1046223#c14

Cheers,
Brian

* It doesn't make sense to use the producedAt time, because the
producedAt time is certified by the certificate that we are
validating. If an attacker had stolen the key of an expired OCSP
response signing certificate, then they would be able to forge an OCSP
response with a producedAt time before the expiration of the stolen
certificate.



More information about the Public mailing list