Important changes in Validity Confirmation Service 01.11.2023
Starting from 1st November 2023 the signing certificate of the paid validity confirmation service (OCSP) will change. Certificates valid for 35 days will be taken into use. In addition, it is no longer possible to create a valid digital signature in BDOC-TM format with changed OCSP service.
OCSP responses, requested from http://ocsp.sk.ee/ are signed with one long validity certificate SK OCSP RESPONDER 2011, issued by EECCRCA root certificate. From November 1st at 1PM each OCSP response will be signed with different OCSP responder certificate, issued by corresponding intermediate CA.
The new validity confirmation service certificates have a shorter validity period – the responder certificate is valid for 35 days and rotates every 30 days. Each certificate is issued by its respective intermediate CA. The same certificates are also used in the free access OCSP service (aia.sk.ee). SK will not inform about the change of the service certificate in regular manner.
The modified service cannot be used to create signatures in BDOC-TM format. Signatures created in BDOC-TM format from November 1, 2023 can no longer be validated.
Previously created BDOC-TM signatures can be validated with libraries.
The purpose of the change is to ensure the sustainability of SK’s paid OCSP service and even better compliance with international standards.
The general conditions for using the validation confirmation service will not change.
Who are affected?
The changes will affect all services that use the paid SK validity confirmation service at ocsp.sk.ee to check the validity of Smart-ID, Mobile-ID, Estonian ID-card and organisation certificates and services that still use the BDOC-TM signature format for digital signing.
The support for creating signatures in the BDOC-TM format will be terminated, because it is an Estonian-specific digital signature format. In the next versions of the libraries, published by the RIA (Estonian Information System Authority) later this year, the creation of BDOC-TM signatures is not supported. For this, more detailed information about libraries can be found here.
The change does not affect customers, who use the OCSP service with free access, which is available at aia.sk.ee.
What will change?
We kindly ask the service providers, to check the operational logic of their information system in timely manner – if necessary, make the appropriate changes if some dependencies have been created with the SK OCSP RESPONDER 2011 certificate. Hereafter, OCSP responder certificates issued by the respective intermediate CA must be trusted starting 1st of November. Secondly, those services and information systems, which until now have created a digital signature in BDOC-TM format, must switch to the AdES LT digital signature format.
For example: after the change, if a request is submitted to the paid OCSP at ocsp.sk.ee, to get Mobile-ID certificate status info, the service response is signed with the OCSP certificate issued by EID-SK 2016 (EID-SK 2016 AIA OCSP RESPONDER). However, if you submit a request for validity information about the ID-card certificate, issued by ESTEID2018, the signed response will be returned corresponding to the OCSP certificate issued by ESTEID2018 (ESTEID-SK 2018 AIA OCSP RESPONDER).
Technical info and testing
In order to make the change smoother, please make sure using our test environment, that your services work with the changed OCSP certificate logic. For testing, we have updated the validity confirmation service demo.sk.ee/ocsp in the public demo environment. Technical parameters for production OCSP service can be found in Github here and for test environment here.
If you have any questions, please contact our customer support at email@example.com.
SK ID Solutions AS
+372 610 1888