OCSP No Check Extension
4.2.2.2.1 Revocation Checking of an Authorized Responder
Since an Authorized OCSP responder provides status information for one or more CAs, OCSP clients need to know how to check that an authorized responder's certificate has not been revoked. CAs may choose to deal with this problem in one of three ways:
- A CA may specify that an OCSP client can trust a responder for the lifetime of the responder's certificate. The CA does so by including the extension id-pkix-ocsp-nocheck. This SHOULD be a non-critical extension. The value of the extension should be NULL. CAs issuing such a certificate should realized that a compromise of the responder's key, is as serious as the compromise of a CA key used to sign CRLs, at least for the validity period of this certificate. CA's may choose to issue this type of certificate with a very short lifetime and renew it frequently.
id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= {id-pkix-ocsp 5}
View at oid-info.com
Defined in RFC 2560
Internet Assigned Numbers Authority (IANA)
OID | Name | Sub children | Sub Nodes Total | Description |
---|---|---|---|---|
1.3.6.1.5.5.7.48.1.1 | basic-response | 0 | 0 | OCSP Basic Response |
1.3.6.1.5.5.7.48.1.2 | nonce-extension | 0 | 0 | OCSP Nonce Extension From RFC 2560: 4.4.1 Nonce The nonce cryptographically binds a request and a response to prevent replay … |
1.3.6.1.5.5.7.48.1.3 | crl | 0 | 0 | Certificate Revocation List (CRL) reference |
1.3.6.1.5.5.7.48.1.4 | response | 0 | 0 | Response types understood by an Online Certificate Status Protocol (OCSP) client |
1.3.6.1.5.5.7.48.1.6 | archive-cutoff | 0 | 0 | OCSP Archive Cutoff Extension |
1.3.6.1.5.5.7.48.1.7 | service-locator | 0 | 0 | OCSP Service Locator Extension |
1.3.6.1.5.5.7.48.1.8 | id-pkix-ocsp-pref-sig-algs | 0 | 0 | Client indication of preferred signature algorithms |