Confirm, administrator
5,526
edits
Changes
m
→OCSP
OCSP responders should be set up to listen on a standard port (e.g. port 80), because firewalls may block ports other than 80/443.
As per the [https://www.cabforum.org/documents.html CA/Browser Forum’s Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates], the OCSP URI must be provided in the certificate, except when OCSP stapling is used. BR #13.2.2: "The CA SHALL update information provided via an Online Certificate Status Protocol..." From Appendix B regarding authorityInformationAccess in Subordinate CA Certificate and Subscriber Certificate: "With the exception of stapling ... this extension MUST be present ... and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder..."
As per the [https://www.cabforum.org/documents.html CA/Browser Forum’s Guidelines for EV Certs], CAs must provide an OCSP capability for end-entity certificates that are issued after Dec 31, 2010. Mozilla is considering technical ways to enforce this OCSP requirement such that if Firefox cannot obtain a valid response from the OCSP responder, then the certificate will not be given EV treatment. ({{Bug|585122}})
