Found 1 record.

Status: Reported (1)

RFC 7711, "PKIX over Secure HTTP (POSH)", November 2015

Errata ID: 6338
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Bastien Lacoste
Date Reported: 2020-11-17

Section 6 says:

The POSH client MUST NOT cache results (reference or fingerprints)
indefinitely.  If the source domain returns a reference, the POSH
client MUST use the lower of the two "expires" values when
determining how long to cache results (i.e., if the reference
"expires" value is lower than the fingerprints "expires" value, honor
the reference "expires" value).  Once the POSH client considers the
results stale, it needs to perform the entire POSH operation again,
starting with the HTTPS GET request to the source domain.  The POSH
client MAY use a lower value than any provided in the "expires"
member(s), or not cache results at all.

It should say:

Add the following:

If the source returns an invalid reference, the POSH client SHALL NOT cache the results (reference or fingerprint) and SHALL perform the entire POSH operation again whenever performing any further retry.

Notes:

If reference is lost (eg x509 certificate) and if POSH client does not refresh fingerprint then it fails until expiration of old fingerprints... which will prevent the client to access a service because of caching, although references was updated on source domain.

Report New Errata