[openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()
Dr. Stephen Henson
steve at openssl.org
Tue Feb 24 13:47:28 UTC 2015
On Wed, Feb 18, 2015, Stephan M?hlstrasser wrote:
>
> What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using
> the "-no_explicit" command line option. What exactly is checked by
> the X509_check_trust() call above with respect to the relevant RFCs?
>
If the responder root CA is set to be trusted for OCSP signing then it can be
used to sign OCSP responses for any certificate (aka a global responder). This
comes under:
1. Matches a local configuration of OCSP signing authority for the
certificate in question
or alternatively:
Additional acceptance or rejection criteria may apply to either the
response itself or to the certificate used to validate the signature
on the response.
from RFC2560 et al.
If the -no_explicit flag is set or OCSP_NOEXPLICIT is set then this behaviour
is disabled.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users
mailing list