On 09/06/17 16:24, Bob Beck wrote:
effectivelyu providing a limitless OCSP staple is kind of stupid - you may as well simply *not staple*
I guess a stapled response without the next_update field set would be treated as valid until the client considers this_update to be too old (for ocspcheck, this seems to be set to 14 days via MAXAGE_SEC). In the case of stapling, I agree that it typically would be much better to use a short period for next_update than not to provide it at all.
In my case, I didn't want to use ocspcheck specifically for storing OCSP responses for stapling but in order to check if my local OCSP responder is actually working (i.e., the out-of-band way). In the out-of-band case, clients could also check for freshness by using nonces.
During these kinds of tests, I've also noticed that ocspcheck currently only connects to HTTP and HTTPS over their well-known ports which seems to be fine for all public CAs but not necessarily for all local CAs with a corresponding OCSP daemon.
In case this lack of flexibility is intended in order to keep the tool simple, I'm also fine with it.
