''
Kathleen Comments:
* According to the EV Guidelines, the CRL nextUpdate for end-entity certs should not be more than 10 days. Mozilla recommends that the CRL nextUpdate for all end-entity certs (even not EV) be less than 10 days.
* According to the EV Guidelines, OCSP responses for end-entity certs should have a maximum expiration time of 10 days. Mozilla recommends this for all end-entity certs (even not EV).
RFC 2560, sections 2.2, 2.6, 3.2 and 4.2.2.2 define the requirements for the OCSP response signer's certificate and certificate chain. NSS enforces these requirements exactly.