Subordinate CA OCSP validity limits
8 views
Skip to first unread message
Taavi Eomäe
Feb 11, 2026, 6:59:29 AM (3 days ago) Feb 11
to S/MIME Certificate WG - Public (CA/B Forum)
Hi,
The S/MIME BR (1.0.12) currently defines OCSP response validity periods for subscriber certificates.
However quite a few CAs also offer OCSP for their subordinate CAs, the BR defines how often (12mo) and how fast (within 24h) the status should be updated, but not how long the responses should be valid.
Is this intentional? Should an implementation only enforce an upper limit of 12 months?
Best Regards,
Taavi Eomäe
Zone Media OÜ
The S/MIME BR (1.0.12) currently defines OCSP response validity periods for subscriber certificates.
However quite a few CAs also offer OCSP for their subordinate CAs, the BR defines how often (12mo) and how fast (within 24h) the status should be updated, but not how long the responses should be valid.
Is this intentional? Should an implementation only enforce an upper limit of 12 months?
Best Regards,
Taavi Eomäe
Zone Media OÜ
Stephen Davidson
Feb 11, 2026, 12:54:41 PM (2 days ago) Feb 11
to smcwg-...@groups.cabforum.org
Hello Taavi
This OCSP language is consistent in several of the CABF standards.
For sub CAs, that is the only specification. CAs are free to implement tighter boundaries, but this is the minimum.
Regards, Stephen
--
You received this message because you are subscribed to the Google Groups "S/MIME Certificate WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
smcwg-public...@groups.cabforum.org.
To view this discussion visit
https://groups.google.com/a/groups.cabforum.org/d/msgid/smcwg-public/90ac33f2-3eb9-417a-81e3-3a2a059b37f6n%40groups.cabforum.org.
Reply all
Reply to author
Forward
0 new messages