Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8023362

Don't allow soft-fail behavior if OCSP responder returns "unauthorized"

    XMLWordPrintable

Details

    • b108
    • Verified

    Description

      PKIXRevocationChecker.Option.SOFT_FAIL currently says:

               * Allow revocation check to succeed if the revocation status cannot be
               * determined for one of the following reasons:
               * <p><ul>
               * <li>The CRL or OCSP response cannot be obtained because of a
               * network error.
               * <li>The OCSP responder returns one of the following errors
               * specified in section 2.3 of RFC 2560: internalError, tryLater,
               * or unauthorized.

      unauthorized is an authoritative response from the responder and is not due to a network error or the server being unable to return a response due to an exception. This status can be returned by an OCSP responder when it doesn't know anything about the certificate, or if it is expired and it no longer maintains/returns revocation status for that certificate. If the unauthorized status is because it is expired, a fallback to CRLs may succeed because the cert is not listed on the CRL. However, it is risky to depend on that, as revoked certificates may have been pruned from the CRL after they expired.

      Attachments

        Issue Links

          Activity

            People

              mullan Sean Mullan
              mullan Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: