Confirm, administrator
5,526
edits
Changes
→OCSP
OCSP responders should be set up to listen on a standard port (e.g. port 80), because firewalls may block ports other than 80/443. Firefox and some other clients do not work with HTTPS OCSP responders, and many firewalls block requests that aren't over port 80, so OCSP responders must be accessible over HTTP (not only HTTPS) on port 80.
As per the [https://www.cabforum.org/documents.html CA/Browser Forum’s Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates], the OCSP URI must be provided in the certificate, except when OCSP stapling is used. BR #13.2.2(section 4.9.10 in BR version 1.3): "The CA SHALL update information provided via an Online Certificate Status Protocol..." From Appendix B (section 7.1.2 in BR version 1.3) regarding authorityInformationAccess in Subordinate CA Certificate and Subscriber Certificate: "With the exception of stapling ... this extension MUST be present ... and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder..."
As per the [https://www.cabforum.org/documents.html CA/Browser Forum’s Guidelines for EV Certs], CAs must provide an OCSP capability for end-entity certificates that are issued after Dec 31, 2010. Mozilla is considering technical ways to enforce this OCSP requirement such that if Firefox cannot obtain a valid response from the OCSP responder, then the certificate will not be given EV treatment. ({{Bug|585122}})
