RFC 7711, "PKIX over Secure HTTP (POSH)", November 2015Source of RFC: xmpp (art)
Errata ID: 6338
Publication Format(s) : TEXT
Reported By: Bastien Lacoste
Date Reported: 2020-11-17
Section 6 says:
The POSH client MUST NOT cache results (reference or fingerprints) indefinitely. If the source domain returns a reference, the POSH client MUST use the lower of the two "expires" values when determining how long to cache results (i.e., if the reference "expires" value is lower than the fingerprints "expires" value, honor the reference "expires" value). Once the POSH client considers the results stale, it needs to perform the entire POSH operation again, starting with the HTTPS GET request to the source domain. The POSH client MAY use a lower value than any provided in the "expires" member(s), or not cache results at all.
It should say:
Add the following: If the source returns an invalid reference, the POSH client SHALL NOT cache the results (reference or fingerprint) and SHALL perform the entire POSH operation again whenever performing any further retry.
If reference is lost (eg x509 certificate) and if POSH client does not refresh fingerprint then it fails until expiration of old fingerprints... which will prevent the client to access a service because of caching, although references was updated on source domain.