Closed jcjones closed 2 years ago
it compares byte-for-byte that the responses are the same.
To clarify, this actually does a comparison of the statuses - so the ocsp-responder won't serve a good
response from Redis when the DB says revoked
, but it can serve different bytes.
I believe all necessary feature flags have been added:
Currently, an OCSP Responder configured with a Redis backend uses the MultiSource Source to blend the MariaDB and Redis results. As part of that blend, it compares byte-for-byte that the responses are the same.
When we roll this out, the each datacenter will have different OCSP Responses than the other, as the OCSP Updaters will be updating their own Redis instance.
Byte comparison is a good starting point, though it limits us to only deploying to the primary datacenter at present. A next phase, after proving the byte-for-byte operation, should be a feature flag to instead compare OCSP Update times.
The MultiSource would need to compare the DB row that is returned to both the OCSP Metadata to determine relative freshness, and the OCSP response data, to determine correctness. The general algorithm might look like:
Also, appropriate metrics should be updated at each leg of the way.