David Handermann created NIFI-14490:
---------------------------------------
Summary: Deprecate OCSP Certificate Validation for Removal
Key: NIFI-14490
URL: https://issues.apache.org/jira/browse/NIFI-14490
Project: Apache NiFi
Issue Type: Improvement
Components: Core Framework
Reporter: David Handermann
Assignee: David Handermann
The Online Certificate Status Protocol supports validating revocation status
for client certificates using a standard HTTP request and response protocol.
The NiFi framework supports optional validation through application
configuration properties, with an implementation based on the Bouncy Castle
library. Let's Encrypt is one a several large certificate authorities that is
[ending support for OCSP|https://letsencrypt.org/2024/12/05/ending-ocsp/].
Articles such as [The Slow Death of
OCSP|https://www.feistyduck.com/newsletter/issue_121_the_slow_death_of_ocsp]
describe the technical issues with implementing the protocol over the years,
including poor adoption and "fail open" as a frequent default configuration.
Although X.509 Client Certificate authentication should remain supported,
custom OCSP validation should be deprecated and targeted for removal in a
subsequent minor framework version. Given the infrastructure required, and
alternative solutions such as short-lived certificates, OCSP support should not
be maintained.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
