
<html>


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


</head>


<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">


<div class="">Bonjour,</div>


<div class=""><br class="">


</div>


<div class="">SHALL is not equivalent to a SHOULD, but to a MUST. See RFC2119.</div>


<br class="">


<div class="">


<div class="">Cordialement,</div>


<div class="">Erwann Abalea</div>


</div>


<br class="">


<div>


<blockquote type="cite" class="">


<div class="">Le 12 sept. 2017 à 02:46, Winter Mute <<a href="mailto:zshrdlu@gmail.com" class="">zshrdlu@gmail.com</a>> a écrit :</div>


<br class="Apple-interchange-newline">


<div class="">


<div dir="ltr" class="">


<div class="">Hello,<br class="">


</div>


<span style="font-family:Tahoma,Verdana,Arial;font-size:14px" class="">The <a href="https://tools.ietf.org/html/rfc6960#section-4.2.2.2" target="_blank" class="">


RFC</a> states that:<br class="">


<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">


OCSP signing delegation SHALL be designated by the inclusion of<br class="">


id-kp-OCSPSigning in an extended key usage certificate extension<br class="">


included in the OCSP response signer's certificate.</blockquote>


<div class="">The use of "SHALL" rather than "MUST" indicates that this recommendation can be ignored.<br class="">


</div>


<div class="">How does openssl handle OCSP responses signed by certificates that do not have


<span style="font-family:Tahoma,Verdana,Arial;font-size:14px" class="">id-kp-OCSPSigning in the extended key usage certificate extension when the responses are not signed by the issuing CA directly?<br class="">


</span></div>


<div class=""><span style="font-family:Tahoma,Verdana,Arial;font-size:14px" class="">What informs this decision/policy?<br class="">


</span></div>


<div class=""><span style="font-family:Tahoma,Verdana,Arial;font-size:14px" class="">Are there any security implications in including or excluding OCSP-sign in the extended key usage extension?<br class="">


</span></div>


</span></div>


-- <br class="">


openssl-dev mailing list<br class="">


To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-dev" class="">


https://mta.openssl.org/mailman/listinfo/openssl-dev</a><br class="">


</div>


</blockquote>


</div>


<br class="">


</body>


</html>