5
edits
Changes
some comments on AIA:OCSP and on the OCSP deadlines
Section 11.1.1 of [http://www.cabforum.org/Guidelines_v1_2.pdf version 1.2 of the EV Guidelines] says: ''It is strongly RECOMMENDED that all CAs support OCSP when a majority of deployed Web servers support the TLS 1.0 extension in accordance to RFC 3546, to return “stapled” OCSP responses to EV-enabled applications. CAs MUST support an OCSP capability for Subscriber Certificates that are issued after Dec 31, 2010.''
''Viktor Vargas comment:
Realy this should be followed? OCSP response should be not older than 4 days or CRL not older than one year? Can we have more secure values? Is the OCSP support only for Subscriber certificates enough?
Maybe we should ad the following too:
CAs should include AIA:OCSP after dec 31, 2010 in end entity and subCA certificates.
''
RFC 2560, sections 2.2, 2.6, 3.2 and 4.2.2.2 define the requirements for the OCSP response signer's certificate and certificate chain. NSS enforces these requirements exactly.
