3. Functional Requirements

3.1. Certificate Content

In order to convey to OCSP clients a well-known point of information access, CAs SHALL provide the capability to include the authority information access extension (defined in [RFC5280], Section 4.2.2.1) in certificates that can be checked using OCSP. Alternatively, the accessLocation for the OCSP provider may be configured locally at the OCSP client.

CAs that support an OCSP service, either hosted locally or provided by an Authorized Responder, MUST provide for the inclusion of a value for a Uniform Resource Identifier (URI) [RFC3986] accessLocation and the OID value id-ad-ocsp for the accessMethod in the AccessDescription SEQUENCE.

The value of the accessLocation field in the subject certificate defines the transport (e.g., HTTP) used to access the OCSP responder and may contain other transport-dependent information (e.g., a URL).

3.2. Signed Response Acceptance Requirements

Prior to accepting a signed response for a particular certificate as valid, OCSP clients SHALL confirm that:

The certificate identified in a received response corresponds to the certificate that was identified in the corresponding request;
The signature on the response is valid;
The identity of the signer matches the intended recipient of the request;
The signer is currently authorized to provide a response for the certificate in question;
The time at which the status being indicated is known to be correct (thisUpdate) is sufficiently recent;
When available, the time at or before which newer information will be available about the status of the certificate (nextUpdate) is greater than the current time.