- OCSP signing Certificate MUST contain an extension of type id-pkixocsp-nocheck, as defined by RFC6960.
- Effective January 31, 2020, if the subject:organizationIdentifier field is present, this [cabfOrganizationIdentifier] field MUST be present.
- For URIs, the constraint MUST be specified as a fully qualified domain name [...] When the constraint begins with a period, it MAY be expanded with one or more labels.