United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6744888 OCSP validation code should permit some clock skew when checking validity of OCSP responses
JDK-6744888 : OCSP validation code should permit some clock skew when checking validity of OCSP responses

Details
Type:
Bug
Submit Date:
2008-09-04
Status:
Closed
Updated Date:
2010-05-11
Project Name:
JDK
Resolved Date:
2008-09-09
Component:
security-libs
OS:
solaris_10
Sub-Component:
java.security
CPU:
sparc
Priority:
P2
Resolution:
Won't Fix
Affected Versions:
6u10
Fixed Versions:
6u11

Related Reports
Backport:
Backport:
Backport:
Relates:
Relates:

Sub Tasks

Description
The OCSP validation code should permit some clock skew when checking the validity
of OCSP responses. Currently, the system clock and the OCSP server clock have to
be exactly synchronized or the following exception will be thrown:

                throw new IOException("Response is unreliable: its validity " +
                    "interval is out-of-date");

                                    

Comments
SUGGESTED FIX

A default clock skew should be permitted (ex: 20 minutes). Ideally this default could be
overridden via an OCSP system or security property, but due to time constraints a 
separate CR will be opened for that feature.
                                     
2008-09-04
EVALUATION

This is an issue that needs to be fixed for 6569795 (plugin tests are failing). A 
small amount of clock skew should be tolerated and is also permitted in other OCSP implementations.
                                     
2008-09-04



Hardware and Software, Engineered to Work Together