Confirm, administrator
5,526
edits
Changes
m
→OCSP
''
''Kathleen Comments: * According to the EV Guidelines, the CRL nextUpdate OCSP responses for end-entity certs should not be more than have a maximum expiration time of 10 days. Mozilla recommends that the CRL nextUpdate this for all end-entity certs (even not EV) be less than 10 days.* According to the EV Guidelines, OCSP responses the CRL nextUpdate for end-entity certs should have a maximum expiration time of not be more than 10 days. Mozilla recommends this that the CRL nextUpdate for all end-entity certs (even not EV)be less than 10 days.''
RFC 2560, sections 2.2, 2.6, 3.2 and 4.2.2.2 define the requirements for the OCSP response signer's certificate and certificate chain. NSS enforces these requirements exactly.
