locked
Change Validity Period on OCSP Responses RRS feed

  • Question

  • Question:
    Does the Microsoft OCSP Responder service support changing the validity period of OCSP responses?  Specifically I am not talking about changing the validity period on the OCSP Signing certificate, changing the validity period on the CRLs, or the http cache control headers (maxage).

    Explanation:
    From the DigiNotar situation it was demonstrated there there is a problem with OCSP responses having too long of a validity period.  One of the strengths of OCSP is supposed to be providing the most current revocation information.  Microsoft's OCSP Responder is capable of providing fairly up to date revocation information by telling the reponder service to regularly pull CRLs from the CDPs, but any responses that have already been sent out will be valid until the expiration of CRL or of the OCSP signing certificate.  Changing the http cache control headers can help by telling the end clients to look for updates after a maxage.  This however would not stop a bad guy from retrieving a valid OCSP response (as in the DigiNotar situation, a 'valid' response for a certificate that doesn't even exist), ignoring the cache control fields and using OCSP stapling.

    Friday, July 13, 2012 4:30 PM

Answers

  • The only way is to reduce CRL validity.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    • Proposed as answer by Brian Komar [MVP] Saturday, July 14, 2012 9:34 PM
    • Marked as answer by 朱鸿文 Tuesday, July 17, 2012 2:23 AM
    Friday, July 13, 2012 5:03 PM
  • Adding to Vadims answer

    - Only publish the CRL and Delta CRL to a highly available Web site

    - Only publish CRL and Delta CRL to an internally and externally accessible Web site

    This will reduce latency and allow for shorter CRLs

    But, make sure that the majority of your clients are OCSP-capable (vista or higher) otherwise you are going to create a lot of load on the HTTP location

    Brian

    • Marked as answer by 朱鸿文 Tuesday, July 17, 2012 2:23 AM
    Saturday, July 14, 2012 9:35 PM

All replies

  • The only way is to reduce CRL validity.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    • Proposed as answer by Brian Komar [MVP] Saturday, July 14, 2012 9:34 PM
    • Marked as answer by 朱鸿文 Tuesday, July 17, 2012 2:23 AM
    Friday, July 13, 2012 5:03 PM
  • Adding to Vadims answer

    - Only publish the CRL and Delta CRL to a highly available Web site

    - Only publish CRL and Delta CRL to an internally and externally accessible Web site

    This will reduce latency and allow for shorter CRLs

    But, make sure that the majority of your clients are OCSP-capable (vista or higher) otherwise you are going to create a lot of load on the HTTP location

    Brian

    • Marked as answer by 朱鸿文 Tuesday, July 17, 2012 2:23 AM
    Saturday, July 14, 2012 9:35 PM