Netscape MANAGEMENT SYSTEM 6.0 - PLUG-IN Manual page 218

OCSPNoCheckExt Plug-in Module
responder only if the certificate being validated includes the authority information
access extension indicating the location of the OCSP responder; for information on
adding this extension to certificates, see "AuthInfoAccessExt Plug-in Module" on
page 132.
When queried by an application on the status of a certificate, the OCSP responder
sends a digitally signed response. For the signature, the responder uses the key
pair designated for signing OCSP responses. Usually, the CA issues an OCSP
responder certificate to the responder, which enables applications to identify it as a
CA-designated responder. The CA issues this certificate with an extended key
usage extension with a unique value, which indicates that the key associated with
the certificate can be used for signing OCSP responses. For details on this
extension, see "OCSPSigningExt Rule" on page 173.
When an OCSP-compliant application receives a signed response, as a part of
validating the signature, the application needs to verify that the responder's
certificate has not been revoked. RFC 2560 recommends three ways in which a CA
may indicate the revocation status of an OCSP responder certificate. One of them is
that the CA issue the OCSP responder a certificate with the OCSP no check
extension, which indicates that the certificate can be trusted by the clients for its
lifetime. The OCSP no check policy of Certificate Management System implements
this method and enables you to set the OCSP no check extension in OCSP
responder certificates.
Because OCSP-compliant applications don't check for the revocation status of the
OCSP responder certificate (containing the OCSP no check extension), when
issuing these types of certificates, you should consider issuing them with a short
validity period (and renew them frequently). Note that the OCSP no check
extension policy only adds the extension to a certificate; it doesn't control the
validity period of the certificate. If you want to limit the validity period of these
certificates to a short period, you should consider creating an instance of the
ValidityConstraints
set the predicate parameter to
details, see "ValidityConstraints Plug-in Module" on page 120. If you have agent
privileges, you can also specify the required validity period when approving the
OCSP responder certificate request in the request queue; the enrollment process for
an OCSP responder certificate is manual, and the request gets queued for agent
approval.
Before configuring the server to add the OCSP no check extension to OCSP
responder certificates, read the general guidelines provided in "OCSPNocheck" on
page 351.
218 Netscape Certificate Management System Plug-Ins Guide • March 2002
module with the appropriate configuration, for example,
HTTP_PARAMS.certType=ocspResponder
. For