OCSP server response expires before OCSP reply - RFC 5019 section-6.2 breakage

the OCSP server response expires before the OCSP certified reply expires:

server response headers
Date: Tuesday, 19 April 2016 08:41 GMT
Last Modified: Saturday, 16 April 2016 08:00 UTC
Expires: Tuesday, 19 April 2016 20:41 GMT
Cache Control Max-age: 12h0m0s
Server Software: nginx
Content Delivery Network (CDN): Akamai
Cache Information: TCP_MISS from a23-62-98-156.deploy.akamaitechnologies.com (AkamaiGHost/7.4.4-17006907) (-)

OCSP response information
Source: Authority Information Access in Certificate
Location: http://ocsp.int-x3.letsencrypt.org/ (POST)
Size: 532 bytes (DER data)
Response time: 224.635177ms
Signature algorithm: SHA256WithRSA
Signature type: CA Deligated
Reported statuses: 1
This update: Saturday, 16 April 2016 08:00 UTC
Next update: Saturday, 23 April 2016 08:00 UTC
Produced at: Saturday, 16 April 2016 08:02 UTC
Status: Good


Expires cache header is not the same as the NextUpdate field (RFC 5019 section 6.2)

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.