Gervase Markham <g...@mozilla.org> wrote: > On 08/12/16 12:46, Brian Smith wrote: >> Are you intending to override the BR laxness for maximum OCSP lifetime >> for intermedaites, or just match the BR requirements? > > The wider context of this section includes an "For end-entity > certificates:". So the wording as proposed matches the BRs in terms of > duration.
OK. This means that the policy isn't really sufficient for use with the OCSP mult-stapling extension. Mutli-stapling only works well when the OCSP responses for the intermediate CA certificates are treated like what is proposed for end-entity certificates w.r.t. nextUpdate. Cheers, Brian -- https://briansmith.org/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy