[openssl-dev] id-kp-OCSPSigning extended key usage
Winter Mute
zshrdlu at gmail.com
Tue Sep 12 00:46:13 UTC 2017
Hello,
The RFC <https://tools.ietf.org/html/rfc6960#section-4.2.2.2> states that:
> OCSP signing delegation SHALL be designated by the inclusion of
> id-kp-OCSPSigning in an extended key usage certificate extension
> included in the OCSP response signer's certificate.
The use of "SHALL" rather than "MUST" indicates that this recommendation
can be ignored.
How does openssl handle OCSP responses signed by certificates that do not
have id-kp-OCSPSigning in the extended key usage certificate extension when
the responses are not signed by the issuing CA directly?
What informs this decision/policy?
Are there any security implications in including or excluding OCSP-sign in
the extended key usage extension?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170912/7e511255/attachment.html>
More information about the openssl-dev
mailing list