Sertifitseerimiskeskus OCSP is not RFC compliant

This issue appeared a few months ago when SK introduced OCSP for KLASS-SK 2010 CA. Previously there was no OCSP at all, only CRL.

The issue is that OCSP responds “revoked” to expired certificates. You might think one should never use an expired certificate. True, but world is not always so black and white. You might not really care for retired-archived systems or internal services. One might simply forget to renew certificate or admin is on vacation etc. People are imperfect and processes do fail. Previously you’d get a warning that certificate is expired but it’s easy to click through that, no worries. Now you get hardblocked.

Current revision is RFC 6960 that basically says that you may reply “revoked” only if certificate actually is revoked or if it has never been issued. For any other case, correct response is “good” or “unknown”. Obsoleted RFC 2560 makes basically the same statement.

SK support is aware of the issue but their statement was that this will not be fixed. I guess that this is a business decision (you must order new one – $$$ – or use self-signed/internal CA) as I know of no other major CA that behaves like that. I’m not a security guy, but I don’t think it’s really an issue if certificate is used a few days past expiration date in case of a human mistake.

Leave a Reply

Your email address will not be published. Required fields are marked *