Mozilla strongly recommends that OCSP be provided for certificates chaining to CAs that are included in NSS. OCSP responders should be set up to listen on a standard port (e.g. port 80), because firewalls may block ports other than 80/443.
CAs are expected to comply with the current EV Guidelines of As per the [http://www.cabforum.org/ CA/B ForumBrowser Forum’s Guidelines for EV Certs], CAs must provide an OCSP capability for end-entity certificates that are issued after Dec 31, 2010. Mozilla is considering technical ways to enforce this OCSP requirement such that if Firefox cannot obtain a valid response from the OCSP responder, then the certificate will not be given EV treatment. We are considering requiring the end-entity certificate to provide the OCSP URI in the AIA: https://bugzilla.mozilla.org/show_bug.cgi?id=585122#c23Additionally, we urge all CAs to provide OCSP for all certs, even when they are not EV.]
Section 11.1.1 of [http://www.cabforum.org/Guidelines_v1_2.pdf version 1.2 of the EV Guidelines] says: ''It is strongly RECOMMENDED that all CAs support OCSP when a majority of deployed Web servers support the TLS 1.0 extension in accordance to RFC 3546, to return “stapled” OCSP responses to EVservice for end-enabled applications. CAs MUST support an OCSP capability for Subscriber Certificates that are issued after Dec 31, 2010.'' ''Viktor Vargas comment:Realy this should entity certs must be followed? OCSP response should be not older than 4 updated at least every four days or CRL not older than one year? Can we have more secure values? Is the OCSP support only for Subscriber certificates enough?Maybe we should ad the following too:CAs should include AIA:OCSP after dec 31, 2010 in end entity and subCA certificates.'' ''Kathleen Comments: According to the EV Guidelines, OCSP responses for end-entity certs should must have a maximum expiration time of 10 days. Mozilla recommends this for all end-entity certs (even not EV).According to the EV Guidelines, the CRL nextUpdate for end-entity certs should not be more than 10 days. Mozilla recommends that the CRL nextUpdate for all end-entity certs (even not EV) be less than 10 ten days.''
RFC 2560, sections 2.2, 2.6, 3.2 and 4.2.2.2 define the requirements for the OCSP response signer's certificate and certificate chain. NSS enforces these requirements exactly.
