Table of Contents
Advertisement
Discussion
The extension is meant to be included in an OCSP responder's signing certificate.
The extension tells an OCSP client that the signing certificate can be trusted
without querying the OCSP responder (since the reply would again be signed by
the OCSP responder, and the client would again request the validity status of the
signing certificate). This extension is null-valued: its meaning is determined by its
presence or absence.
Since the presence of this extension in a certificate will cause OCSP clients to trust
responses signed with that certificate, use of this extension should be managed
carefully. If the OCSP signing key is compromised, the entire process of validating
certificates in the PKI will be compromised for the duration of the validity period
of the certificate. Therefore, certificates using
short lifetimes and be renewed frequently.
CMS Version Support
Refer to "OCSPNoCheckExt Plug-in Module" on page 218.
•
CMS 4.1: Not supported
•
CMS 4.2: Supported
•
CMS 4.2-SP2: Supported
Netscape Recommendation
Netscape recommends using this extension in OCSP responder signing certificates.
The validity period should be short enough to minimize the potential impact of a
compromised OCSP responder signing key to your organization.
Microsoft Recommendation
Microsoft products do not currently use online status checking.
policyConstraints
OID
2.5.29.36
References
http://www.ietf.org/rfc/rfc2459.txt
Criticality
This extension may be critical or noncritical.
Standard X.509 v3 Certificate Extensions
should be issued with
OCSPNocheck
4.2.1.12
Appendix C
Certificate and CRL Extensions
353
Advertisement
Table of Contents
