uspki/policies

Delegated OCSP Certificate Validity

Closed this issue · 2 comments

Originally found by @techliaison and @connellyt. Please let me know if I'm mis-characterizing this...

Summary: The CP inconsistently references Delegated OCSP certificate validity.

Delegated OCSP Responder Certificate Profile

Validity Period:

  • Encoded as UTCTime for dates through 2049 and GeneralizedTime for dates thereafter 
  • No longer than 45 days from date of issue.

4.6.3 Processing certificate renewal requests
The CA shall verify that the OCSP Delegated Responder certificate expiration date shall not exceed 395 days from the date of initial certificate issuance.

Desired outcome: Correct validity in 4.6.3 to match profile.

See #297 for background on this.

I think I could clarify the wording a bit more. Note that this is in the RENEWAL section (4.6.3).

Example:

  • Are the same private keys being used and a new ocsp cert?
  • If so, we were trying to accommodate information validation requirements with the lifetime of each individual cert.

AND - we might be in a small majority that is trying to accommodate delegated OCSP certs. I haven't seen specific language for delegated OCSP certs in many other non-Federal PKI related CPs.

Incorporated into future CP update.