Confirm, administrator
5,526
edits
Changes
m
→OCSP
=== OCSP ===
Mozilla strongly recommends that OCSP be provided for certificates chaining up to root certificates CAs that are included in NSS. OCSP responders should be set up to listen on a standard port; eg (e.g. port 80), because firewalls may block ports other than 80/443.
Section 11.1.1 of the [[http://www.cabforum.org/Guidelines_v1_2.pdf CA/B Forum Guidelines for Extended Validation Certificates]] says: ''It is strongly RECOMMENDED that all CAs support OCSP when a majority of deployed Web servers support the TLS 1.0 extension in accordance to RFC 3546, to return “stapled” OCSP responses to EV-enabled applications. CAs MUST support an OCSP capability for Subscriber Certificates that are issued after Dec 31, 2010.''
