From b7e8b2c04681587f87480157e03d31403f1867ea Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Mon, 26 Aug 2024 13:59:26 -0700 Subject: [PATCH 1/2] Add OmitShortLivedRevocation feature flag --- features/features.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/features/features.go b/features/features.go index 262ce0933cf..4c24ec48013 100644 --- a/features/features.go +++ b/features/features.go @@ -117,6 +117,13 @@ type Config struct { // to be the authoritative source of rate limiting information for // new-account callers and disables the legacy rate limiting checks. UseKvLimitsForNewAccount bool + + // OmitShortLivedRevocation causes the AIA OCSP URL and/or the CRLDP URL to be + // omitted from certificates whose validity period is less than or equal to 7 + // days. This validity period is the threshold to qualify as a "Short-Lived + // Certificate" per the BRs Section 1.6.1, and therefore to not require + // revocation information per the BRs Sections 4.9.1.1 and 7.1.2.11.2. + OmitShortLivedRevocation bool } var fMu = new(sync.RWMutex) From 00232e6989c7ab887255165575b8dab6ea021252 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Mon, 26 Aug 2024 15:19:03 -0700 Subject: [PATCH 2/2] Omit OCSP from short-lived certs when flag enabled --- issuance/cert.go | 7 +++++++ test/config-next/ca.json | 4 +++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/issuance/cert.go b/issuance/cert.go index b59ec8d8272..9a0ad0a5760 100644 --- a/issuance/cert.go +++ b/issuance/cert.go @@ -23,6 +23,7 @@ import ( "github.com/letsencrypt/boulder/cmd" "github.com/letsencrypt/boulder/config" + "github.com/letsencrypt/boulder/features" "github.com/letsencrypt/boulder/linter" "github.com/letsencrypt/boulder/precert" ) @@ -324,6 +325,12 @@ func (i *Issuer) Prepare(prof *Profile, req *IssuanceRequest) ([]byte, *issuance } template.DNSNames = req.DNSNames + // Remove revocation information if the certificate is short-lived and the + // feature flag to do so is enabled. + if features.Get().OmitShortLivedRevocation && template.NotAfter.Before(template.NotBefore.Add(24*7*time.Hour)) { + template.OCSPServer = nil + } + switch req.PublicKey.(type) { case *rsa.PublicKey: if prof.omitKeyEncipherment { diff --git a/test/config-next/ca.json b/test/config-next/ca.json index 9c5fa449f63..0e9b9165b7f 100644 --- a/test/config-next/ca.json +++ b/test/config-next/ca.json @@ -152,7 +152,9 @@ "ocspLogMaxLength": 4000, "ocspLogPeriod": "500ms", "ctLogListFile": "test/ct-test-srv/log_list.json", - "features": {} + "features": { + "OmitShortLivedRevocation": true + } }, "pa": { "challenges": {