CA/Required or Recommended Practices: Difference between revisions

CA/Required or Recommended Practices (view source)

Revision as of 18:16, 28 June 2010

92 bytes removed , 28 June 2010

m

→‎OCSP

Kathleen Wilson

Confirmed users, Administrators

5,526

edits

@@ Line 52: / Line 52: @@
 Mozilla strongly recommends that OCSP be provided for certificates chaining to CAs that are included in NSS.  OCSP responders should be set up to listen on a standard port (e.g. port 80), because firewalls may block ports other than 80/443.
-Section 11.1.1 of the [http://www.cabforum.org/Guidelines_v1_2.pdf CA/B Forum Guidelines for Extended Validation Certificates] says: ''It is strongly RECOMMENDED that all CAs support OCSP when a majority of deployed Web servers support the TLS 1.0 extension in accordance to RFC 3546, to return “stapled” OCSP responses to EV-enabled applications. CAs MUST support an OCSP capability for Subscriber Certificates that are issued after Dec 31, 2010.''
+CAs are expected to comply with the current EV Guidelines of the [http://www.cabforum.org/ CA/B Forum.]
-After December 31, 2010, Mozilla will require that OCSP be supported and working without error for all EV certificates chaining up to root certificates included in NSS.
+Section 11.1.1 of the [http://www.cabforum.org/Guidelines_v1_2.pdf version 1.2 of the EV Guidelines] says: ''It is strongly RECOMMENDED that all CAs support OCSP when a majority of deployed Web servers support the TLS 1.0 extension in accordance to RFC 3546, to return “stapled” OCSP responses to EV-enabled applications. CAs MUST support an OCSP capability for Subscriber Certificates that are issued after Dec 31, 2010.''
 RFC 2560, sections 2.2, 2.6, 3.2 and 4.2.2.2 define the requirements for the OCSP response signer's certificate and certificate chain. NSS enforces these requirements exactly.