[cabfpub] FW: Short lived OCSP signing certificate

Gervase Markham gerv at mozilla.org
Tue Sep 18 17:03:17 UTC 2012

On 18/09/12 17:43, Erwann Abalea wrote:
> CRLs don't define how often they should be rechecked.
> They optionally provide a nextUpdate field, which is defined as the
> latest date at which a new CRL will be issued, and the CA is free to
> issue any number of CRLs they want before that date, and a RP is free to
> frequently check if a new CRL has been issued. The nextUpdate found in
> an OCSP response has the exact same semantic.
> The nextUpdate and issue frequency are not correlated.

My mistake; apologies. I will check my facts more carefully :-)


More information about the Public mailing list