Confirmed users, Administrators
5,526
edits
SecurityEngineering/mozpkix-testing: Difference between revisions
SecurityEngineering/mozpkix-testing (view source)
Revision as of 21:43, 22 April 2015
, 22 April 2015→Things for CAs to Fix
| Line 105: | Line 105: | ||
# OCSP responses for subscriber certificates must have a maximum expiration time of ten days. BR #13.2.2: "For the status of Subscriber Certificates: ... The CA SHALL update information provided via an Online Certificate Status Protocol at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days." | # OCSP responses for subscriber certificates must have a maximum expiration time of ten days. BR #13.2.2: "For the status of Subscriber Certificates: ... The CA SHALL update information provided via an Online Certificate Status Protocol at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days." | ||
#* Related Bugs: {{Bug|1025625}}, {{Bug|997509}} | #* Related Bugs: {{Bug|1025625}}, {{Bug|997509}} | ||
# When signing OCSP responses with a delegated OCSP response signing certificate, ensure that the delegated OCSP response signing certificate will not expire before the OCSP response expires. Otherwise, when doing OCSP stapling, some servers will cache the OCSP response past the point where the delegated response signing certificate expires, and then Firefox will reject the connection. | |||
#* Related Bugs: {{Bug|1046223}} | |||
= Future Considerations = | = Future Considerations = | ||