← Google Trust Services LLC cases
Bugzilla #1771552
Technical Compliance
Google Trust Services: OCSP responses not published in a timely manner
RESOLVED
FIXED
Google Trust Services LLC
AI Summary
Google Trust Services identified an issue with their OCSP responders where the `max-age` directive in the `Cache-Control` HTTP response header was set too high, potentially delaying the publication of updated OCSP responses. Following a thorough investigation, they implemented a series of changes to reduce the `max-age` value from 24 hours to 4 hours, significantly improving the timeliness of OCSP status updates. The issue did not result in certificate misissuance but may have caused delays in revocation status publication. The case has been resolved with the implementation of these changes.
Chronology
- Set max-age directive to 24 hours in legacy OCSP software.
- Updated max-age directive to 6 hours.
- Reduced max-age directive to 4 hours and completed evaluation of OCSP responders.
Participants
Cade Cairns
B Wilson
External References
Similar Local Cases
Google Trust Services: CRL validity period set to expected value plus one second
Google Trust Services: digitalSignature KeyUsage not set
Google Trust Services: uses "DNSSec-mostly" and DTPs for DNS resolution
Sectigo: CRL validity beyond CPS allowed value
IdenTrust: OCSP responses for subordinate CA exceed the validity period per CPS guidelines
D-TRUST: CRL not DER-encoded
Amazon Trust Services: CRL not DER-encoded
GDCA: CRL validity period exceeds allowed value by one second