Confirm, administrator
5,526
edits
Changes
m
Additionally, we Non-EV: We urge all CAs to provide OCSP for all certs, even when they are not EVand to provide the OCSP URI in the AIA.
→OCSP
As per the [http://www.cabforum.org/ CA/Browser Forum’s Guidelines for EV Certs], CAs must provide an OCSP capability for end-entity certificates that are issued after Dec 31, 2010. Mozilla is considering technical ways to enforce this OCSP requirement such that if Firefox cannot obtain a valid response from the OCSP responder, then the certificate will not be given EV treatment. We are considering requiring the end-entity certificate to provide the OCSP URI in the AIA: https://bugzilla.mozilla.org/show_bug.cgi?id=585122#c23
OCSP service for end-entity certs must be updated at least every four days, and OCSP responses must have a maximum expiration time of ten days.
