[Servercert-wg] OCSP Responder Requirements for Unexpired, Not-in-Use Intermediates

Aaron Gable aaron at letsencrypt.org
Fri Mar 19 23:47:49 UTC 2021

Hello all,

We (Let's Encrypt) are interested in any requirements, recommendations, or
CA ecosystem best practices for turning off an Intermediate OCSP responder
in the following scenario:

    An intermediate that is unexpired, with all end-entity certs it signed
expired, and the CA is no longer going to issue from it.

We think fully decommissioning OCSP responders for an intermediate in this
scenario is not a violation of the Baseline Requirements. However, it might
be best to return some kind of fully-formed unauthorized response until the
intermediate is expired or a set time after expiry.

Additionally, we're interested to know the recommendations related to an
expired intermediate. How long should an OCSP responder exist after the
intermediate issuer is expired?

Aaron, on behalf of Jillian Karner and Let's Encrypt / ISRG
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210319/48746e36/attachment.html>

More information about the Servercert-wg mailing list