[cabfpub] Short Lived Certificates

Jeremy Rowley jeremy.rowley at digicert.com
Wed Oct 7 07:15:21 UTC 2015


Definitions:

Issuance Date: The date and time the certificate is signed by the Issuing CA.

Short-Lived Certificates: A certificate where the Issuance Date is (i) after the notBefore date but not later than 24 hours after the notBefore date in the Certificate and (ii) earlier than the notAfter date and not earlier than 72 hours before the notAfter date in the Certificate.


4.9.10. On‐line Revocation Checking Requirements

Effective 1 January 2013, the CA SHALL support an OCSP capability using the GET method for Certificates issued in accordance with these Requirements.

For the status of Subscriber Certificates other than a Short-Lived Certificate: The CA SHALL update information provided via an Online Certificate Status Protocol at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days.

7.1.2.3. Subscriber Certificate
…
c. authorityInformationAccess With the exception of stapling and  Short-Lived Certificates, which is noted below, this extension MUST be present. It MUST NOT be marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2).

The HTTP URL of the Issuing CA’s OCSP responder MAY be omitted for Short-Lived Certificates o if Subscriber “staples” OCSP responses for the Certificate in its TLS handshakes [RFC4366].

Jeremy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151007/09421d05/attachment-0003.html>


More information about the Public mailing list