Closed karelbilek closed 10 months ago
karelbilek
commented
10 months ago Hm, I also see the OCSP response has thisUpdate and nextUpdate thing. I am not sure if I should look at those or not.
The current codebase doesn't seem to look at them though
karelbilek
commented
10 months ago karelbilek
commented
10 months ago Acrobat shows the OCSP thisUpdate/nextUpdate here
I cannot try now what will happen if I use old one when trying to sign the document with newer timestamp. :/
vanbroup
commented
10 months ago It's best to use a fresh OCSP response (as close as possible to your signing time to ensure that the certificate was not revoked at the time of signing), the code does not cache the response, but you could do this if you have to sign a lot of documents in a batch.
Most CAs do distribute OCSP responses through a Content Deliver Network (CDN) which will cache the response for a period of time. Only a few CAs support OCSP nonce to enforce a fresh request on every request.
karelbilek
commented
10 months ago Ah, I thought the RevocationData argument is a cache?
As I see this in readme
// cache revocation data when bulk signingHowever looking into source code it doesn't actually work as a cache :) and it's always re-downloaded even when it's there already
How does the RevocationData cache works?
Should it be cleared once in a while? Is there some expiry after which the OCSP response or CRL response is no longer valid?
In the EU checker, I see
And there, I see the entire validity of the cert. So the OCSP response can always be reused, as long as the certificate stays the same? I think it can, just making sure