Gervase Markham <[email protected]> wrote: > Add a requirement that every OCSP response must have a nextUpdate field. > This is required to ensure that OCSP stapling works reliably with all > (at least most) server and client products. > > Proposal: update the second bullet in point 3 of the Maintenance section > so that the last sentence reads: > > OCSP responses from this service must have a defined value in the > nextUpdate field, and it must be no more than ten days after the > thisUpdate field.
The baseline requirements has different requirements for end-entity and intermediate certificates. It requires the nextUpdate field to be no more than 10 days after the thisUpdate field, but it doens't have the same requirement for intermediates. Are you intending to override the BR laxness for maximum OCSP lifetime for intermedaites, or just match the BR requirements? If you are intending to be stricter than the BRs requires, then your change sounds good but maybe call out specifically that this is stricter for intermediates than what the BRs require. Otherwise, if you're intending to match the BRs then I would remove the ", and it must be no more than ten days after the thisUpdate field." Cheers, Brian -- https://briansmith.org/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
