Confirm, administrator
5,526
edits
Changes
→OCSP
=== OCSP ===
As per the [http://www.cabforum.org/ CA/Browser Forum’s Guidelines Baseline Requirements for EV Certsthe Issuance and Management of Publicly-Trusted Certificates, v.1.0], CAs the OCSP URI must provide an be provided in the certificate, except when OCSP capability for end-entity certificates that are issued after Dec 31stapling is used. From Appendix B regarding authorityInformationAccess in Subordinate CA Certificate and Subscriber Certificate: "With the exception of stapling, 2010. Mozilla which is considering technical ways to enforce noted below, this OCSP requirement such that if Firefox cannot obtain a valid response from the OCSP responder, then the certificate will not extension MUST be given EV treatmentpresent. We are considering requiring It MUST NOT be marked critical, and it MUST contain the end-entity certificate to provide HTTP URL of the Issuing CA’s OCSP URI in the AIA: https://bugzillaresponder.mozilla.org/show_bug.cgi?id=585122#c23"
OCSP service for end-entity certs must be updated at least every four days, and OCSP responses must have a maximum expiration time of ten days.
