From November 1, 2023, the certificate of SK paid validity confirmation service (OCSP) will change. Certificates valid for 35 days will be introduced. In addition, it is no longer possible to create a digital signature in BDOC-TM format with the modified OCSP service.
If until now the same validity confirmation service certificate SK OCSP RESPONDER 2011, which was issued by the top certifier (EECCRCA), was used for all CA sub-services for requests submitted to the address http://ocsp.sk.ee/, then from November 1, 2023, every for certificates issued by an intermediate CA certifier.
The new validity confirmation certificates have a shorter validity period - the certificate is valid for 35 days and changes every 30 days. Each OCSP certificate is issued by the corresponding intermediate certifier. The same certificates are also used in the freely accessible OCSP service (aia.sk.ee). SK will not inform about the change of the service certificate in the future.
The modified service cannot be used to generate BDOC-TM signatures. Digital signatures in BDOC-TM format created from November 1, 2023 will no longer be validated. Previously created BDOC-TM signatures can be validated.
The purpose of the change is to ensure the sustainability of paid validity confirmation service and even better compliance with international standards than before. The general conditions for using the validation service will not change.
The changes affect all services that use SK’s validity confirmation service at ocsp.sk.ee to check the validity of Smart-ID, Mobile-ID, Estonian ID-card and institution certificates and services that still use the BDOC-TM signature format for digital signing. The support for creating signatures in the BDOC-TM format will be terminated, because it is an Estonian-specific digital signature format, the use of which is not supported in the following versions of the digidoc library published by the RIA (National Information System Agency) this year. Information about library support published by RIA can be found here.
The changes do not affect customers who use the free access OCSP service, which is available at aia.sk.ee.
Service providers who have created dependencies with the SK OCSP RESPONDER 2011 certificate must check the operation logic of their information system in good time and make changes if necessary. From November 1, 2023, the information system must trust OCSP certificates issued by the relevant intermediate CA. Those services and information systems that have so far created a digital signature in the BDOC-TM format must switch to the AdES LT digital signature format.
Example: if, after the change, a request for validity information is submitted to the ocsp.sk.ee service about the Mobile-ID certificate issued from the EID-SK 2016 certification chain, the service returns a response signed with the OCSP certificate issued by the EID-SK 2016 (EID-SK 2016 AIA OCSP RESPONDER). However, if you submit a request for validity information about the ID card certificate issued by ESTEID2018, the signed response will be returned according to the OCSP certificate issued by ESTEID2018 (ESTEID-SK 2018 AIA OCSP RESPONDER).
To make the change smoother, use our test environment to check how your services fit with the changed validation service logic. For testing, we have updated the validity confirmation service demo.sk.ee/ocsp in the public test environment. More information about testing can be found on Github.
If you would like more information or if you have any questions, please contact [email protected].
Source: SK ID Solutions