...
CAs MAY provide OCSP responses for Code Signing Certificates and Timestamp Certificates for the time period specified in their CPS, which MAY be at least 10 years after the expiration of the certificate.
...
This seems to specify that CAs MAY keep OCSP responses for up to 10 years after expiration. However, for CRL, this is a MUST. Do we need cleanup /clarification of this language?
4.9.10 currently reads:
... CAs MAY provide OCSP responses for Code Signing Certificates and Timestamp Certificates for the time period specified in their CPS, which MAY be at least 10 years after the expiration of the certificate. ...
This seems to specify that CAs MAY keep OCSP responses for up to 10 years after expiration. However, for CRL, this is a MUST. Do we need cleanup /clarification of this language?