Hi!
I'm configuring OCSP cache timeout with my Apache server. The default value is 1 hour which seems a bit low. I've not seen any recommendation on OSCP cache timeout during my searches but when I read ISRG CP v3.0 - Let's Encrypt it says:
Effective 2020-09-30:
OCSP responses MUST have a validity interval greater than or equal to eight hours;
OCSP responses MUST have a validity interval less than or equal to ten days;
For OCSP responses with validity intervals less than sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol prior to one-half of the validity period before the nextUpdate.
For OCSP responses with validity intervals greater than or equal to sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol at least eight hours prior to the nextUpdate, and no later than four days after the thisUpdate.
Does this mean I should use 8 hours or 10 days? I assume my server will understand the OCSP response timeout and refresh earlier then my cache timeout is it is lower?
What implications are there if I use too long vs too short?