Skip to content

Commit ed6e21c

Browse files
bcmortonbcmorton
authored
sc-076 alignment
1 parent 1e31195 commit ed6e21c

1 file changed

Lines changed: 14 additions & 23 deletions

File tree

docs/CSBR.md

Lines changed: 14 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1493,40 +1493,31 @@ No stipulation.
14931493

14941494
### 4.9.9 On-line revocation/status checking availability
14951495

1496-
OCSP responses MUST conform to RFC6960 and/or RFC5019. OCSP responses MUST either:
1496+
The validity interval of an OCSP response is the difference in time between the `thisUpdate` and `nextUpdate` field, inclusive. For purposes of computing differences, a difference of 3,600 seconds shall be equal to one hour, and a difference of 86,400 seconds shall be equal to one day, ignoring leap-seconds.
14971497

1498-
1. Be signed by the CA that issued the Certificates whose revocation status is being checked, or
1499-
2. Be signed by an OCSP Responder whose Certificate is signed by the CA that issued the Certificate whose
1500-
revocation status is being checked.
1498+
A certificate serial is "assigned" if:
15011499

1502-
In the latter case, the OCSP signing Certificate MUST contain an extension of type `id-pkix-ocsp-nocheck`, as
1503-
defined by RFC6960.
1500+
- a Certificate with that serial number has been issued by the Issuing CA.
15041501

1505-
### 4.9.10 On-line revocation checking requirements
1506-
1507-
Effective 2023-09-15, OCSP responders operated by the CA SHALL support the HTTP GET method, as described in RFC 6960 and/or RFC 5019.
1508-
1509-
Effective 2023-09-15, the validity interval of an OCSP response is the difference in time between the `thisUpdate` and `nextUpdate` field, inclusive. For purposes of computing differences, a difference of 3,600 seconds shall be equal to one hour, and a difference of 86,400 seconds shall be equal to one day, ignoring leap-seconds.
1510-
1511-
CAs MAY provide OCSP responses for Code Signing Certificates and Timestamp Certificates for the time period specified in their CPS, which MAY be at least 10 years after the expiration of the certificate.
1502+
A certificate serial is "unassigned" if it is not "assigned".
15121503

1513-
If the CA provides OCSP responses, the CA SHALL support an OCSP capability using the GET method for Certificates issued in accordance with these Requirements.
1504+
The following SHALL apply for communicating the status of Certificates which include an Authority Information Access extension with an id-ad-ocsp accessMethod.
15141505

1515-
For the status of Subordinate CA Certificates:
1506+
OCSP responders operated by the CA SHALL support the HTTP GET method, as described in RFC 6960 and/or RFC 5019. The CA MAY process the Nonce extension (`1.3.6.1.5.5.7.48.1.2`) in accordance with RFC 8954.
15161507

1517-
* If the Issuing CA provides OCSP responses, the Issuing CA SHALL update information provided via an OCSP response at least every twelve months and within 24 hours after revoking a Subordinate CA Certificate.
1508+
For the status of a Code Signing Certificate:
15181509

1519-
For the status of Code Signing Certificates:
1520-
1521-
* If the Subordinate CA provides OCSP responses, the CA SHALL update information provided via an OCSP response at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days.
1510+
- Effective 2025-06-15, an authoritative OCSP response MUST be available (i.e. the responder MUST NOT respond with the "unknown" status) starting no more than 15 minutes after the Certificate is first published or otherwise made available.
1511+
- For OCSP responses with validity intervals less than sixteen hours, the CA SHALL provide an updated OCSP response prior to one-half of the validity period before the nextUpdate.
1512+
- For OCSP responses with validity intervals greater than or equal to sixteen hours, the CA SHALL provide an updated OCSP response at least eight hours prior to the nextUpdate, and no later than four days after the thisUpdate.
15221513

1523-
For the status of Timestamp Certificates:
1514+
For the status of a Subordinate CA Certificate, the CA SHALL provide an updated OCSP response at least every twelve months, and within 24 hours after revoking the Certificate.
15241515

1525-
* If the Subordinate CA provides OCSP responses, the Subordinate CA SHALL update information provided via an OCSP response at least every twelve months and within 24 hours after revoking a Timestamp Certificate.
1516+
For the status of a Timestamp Certificate, the CA SHALL provide an updated OCSP response at least every twelve months, and within 24 hours after revoking the Certificate.
15261517

1527-
A certificate serial number within an OCSP request is "assigned" if a Certificate with that serial number has been issued by the Issuing CA, using any current or previous key associated with that CA subject.
1518+
### 4.9.10 On-line revocation checking requirements
15281519

1529-
If the OCSP responder receives a request for the status of a certificate serial number that is not "assigned", then the responder MUST NOT respond with a "good" status.
1520+
No Stipulation.
15301521

15311522
### 4.9.11 Other forms of revocation advertisements available
15321523

0 commit comments

Comments
 (0)