Confirm, administrator
5,526
edits
Changes
→OCSP
OCSP responders should be set up to listen on a standard port (e.g. port 80), because firewalls may block ports other than 80/443.
As per the [httphttps://www.cabforum.org/ documents.html CA/Browser Forum’s Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.0], the OCSP URI must be provided in the certificate, except when OCSP stapling is used. From Appendix B regarding authorityInformationAccess in Subordinate CA Certificate and Subscriber Certificate: "With the exception of stapling, which is noted below, ... this extension MUST be present. It MUST NOT be marked critical, .. and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder..."
As per the [httphttps://www.cabforum.org/ documents.html CA/Browser Forum’s Guidelines for EV Certs], CAs must provide an OCSP capability for end-entity certificates that are issued after Dec 31, 2010. Mozilla is considering technical ways to enforce this OCSP requirement such that if Firefox cannot obtain a valid response from the OCSP responder, then the certificate will not be given EV treatment. ({{Bug|585122}})
OCSP service for end-entity certs must be updated at least every four days, and OCSP responses must have a maximum expiration time of ten days.
