Delegated OCSP Certificate Validity
Closed this issue · 2 comments
Originally found by @techliaison and @connellyt. Please let me know if I'm mis-characterizing this...
Summary: The CP inconsistently references Delegated OCSP certificate validity.
Delegated OCSP Responder Certificate Profile
Validity Period:
- Encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter
- No longer than 45 days from date of issue.
4.6.3 Processing certificate renewal requests
The CA shall verify that the OCSP Delegated Responder certificate expiration date shall not exceed 395 days from the date of initial certificate issuance.
Desired outcome: Correct validity in 4.6.3 to match profile.
See #297 for background on this.
I think I could clarify the wording a bit more. Note that this is in the RENEWAL section (4.6.3).
Example:
- Are the same private keys being used and a new ocsp cert?
- If so, we were trying to accommodate information validation requirements with the lifetime of each individual cert.
AND - we might be in a small majority that is trying to accommodate delegated OCSP certs. I haven't seen specific language for delegated OCSP certs in many other non-Federal PKI related CPs.
Incorporated into future CP update.