=== OCSP ===
Mozilla strongly recommends that OCSP be provided for certificates chaining to CAs that are included in NSS. OCSP responders should be set up to listen on a standard port (e.g. port 80), because firewalls may block ports other than 80/443.
As per the [http://www.cabforum.org/ CA/Browser Forum’s Guidelines Baseline Requirements for EV Certsthe Issuance and Management of Publicly-Trusted Certificates, v.1.0], CAs the OCSP URI must provide an be provided in the certificate, except when OCSP capability for end-entity certificates that are issued after Dec 31stapling is used. From Appendix B regarding authorityInformationAccess in Subordinate CA Certificate and Subscriber Certificate: "With the exception of stapling, 2010. Mozilla which is considering technical ways to enforce noted below, this OCSP requirement such that if Firefox cannot obtain a valid response from the OCSP responder, then the certificate will not extension MUST be given EV treatmentpresent. We are considering requiring It MUST NOT be marked critical, and it MUST contain the end-entity certificate to provide HTTP URL of the Issuing CA’s OCSP URI in the AIA: https://bugzillaresponder.mozilla.org/show_bug.cgi?id=585122#c23"
Non-As per the [http://www.cabforum.org/ CA/Browser Forum’s Guidelines for EV: We urge all Certs], CAs to must provide an OCSP capability for all certs and end-entity certificates that are issued after Dec 31, 2010. Mozilla is considering technical ways to provide enforce this OCSP requirement such that if Firefox cannot obtain a valid response from the OCSP URI in responder, then the AIAcertificate will not be given EV treatment.({{Bug|585122}})
OCSP service for end-entity certs must be updated at least every four days, and OCSP responses must have a maximum expiration time of ten days.