<div dir="ltr"><div>Hello,<br></div><span style="font-family:Tahoma,Verdana,Arial;font-size:14px">The <a href="https://tools.ietf.org/html/rfc6960#section-4.2.2.2" target="_blank">RFC</a> states that:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
OCSP signing delegation SHALL be designated by the inclusion of<br>
id-kp-OCSPSigning in an extended key usage certificate extension<br>
included in the OCSP response signer's certificate.</blockquote><div>The use of "SHALL" rather than "MUST" indicates that this recommendation can be ignored.<br></div><div>How does openssl handle OCSP responses signed by certificates that do not have <span style="font-family:Tahoma,Verdana,Arial;font-size:14px">id-kp-OCSPSigning in the extended
 key usage certificate extension when the responses are not signed by the issuing CA directly?<br></span></div><div><span style="font-family:Tahoma,Verdana,Arial;font-size:14px">What informs this decision/policy?<br></span></div><div><span style="font-family:Tahoma,Verdana,Arial;font-size:14px">Are there any security implications in including or excluding OCSP-sign in the extended key usage extension?<br></span></div></span></div>