OCSP Response Acceptance Considerations

This section summarizes the considerations for identifying the sources of trusted OCSP responses and how the Validation Client handles responses whose trustworthiness cannot be determined.

The Validation Client only accepts OCSP responses from sources that it has been configured to trust explicitly (because the administrator has designated a given responder certificate as trustworthy) or implicitly (because the responder certificate meets the trust requirements of RFC 2560).

When the responder certificate is explicitly trusted, the expiration date is not checked. When the responder certificate is implicitly trusted, it will only be accepted if the current time is within the responder certificate's validity period.

The Validation Client determines whether or not an OCSP response is trusted as follows:

  1. When the certificate used to sign the response is in the list of explicitly trusted responder certificates, the Validation Client trusts the response.

  2. If the certificate used to sign the response is not explicitly trusted, the Validation Client attempts to establish whether it can be implicitly trusted. Implicit trust will be established when the responder certificate meets all of the following conditions:

    • The responder certificate is issued by the same certificate authority (CA) as the certificate being validated, and

    • The responder certificate contains the extended key usage extension with the OCSP-signing value, and

    • The responder certificate contains the id-pkix-ocsp-nocheck (see the below note for definition) extension, or you have configured the Validation Client to accept certificates automatically from an implicitly trusted VA (for more information, see section Configure OCSP Response Acceptance) or the responder certificate is successfully validated.

      Note: id-pkix-ocsp-nocheck - A certificate extension specified by RFC 2560. In a traditional OCSP configuration, a CA includes this extension in a VA certificate to specify that an OCSP client can trust a responder for the lifetime of the responder's certificate without needing to validate the revocation status of the certificate.