What are the Open Banking CA and OCSP expected behaviours?

Owned by Kenny Marritt (Unlicensed)
Last updated: Apr 06, 2018
1 min read

The OCSP Responder for http://obtest.trustis.com/OCSP has the following behaviours:
·      The OCSP service polls for an updated CRL file every 5 minutes
·      The CA creates a new CRL every 4 hours and every time a certificate is revoked
·      The CRL’s are valid for 3 days each, overlapped every 4 hours.
·      Any time there is a new CRL it is shipped to the CRL location that the OCSP responder is polling.
·      The OCSP responder retrieves and uploads the new status from the new CRL and continues polling for changes.
 
Based on the behaviours above, the OCSP has a latency of up to 5 minutes to reflect any revoked certificates – please do not revoke a certificate and then immediately query the OCSP service as it will not have been updated and therefore reflect a “Valid” cert, even though it has been successfully revoked.
 
If you need to query certificate validity, in the first instance the JWKS endpoint will be accurate as it is immediately updated every time a certificate is revoked.
 
If you need to query outside of the JWKS, please use the CRL located here, (http://obtest.trustis.com/pki/obtestissuingca.crl) as it is updated within 30 seconds of any cert being revoked.

© Open Banking Limited 2019 | https://www.openbanking.org.uk/open-licence | https://www.openbanking.org.uk