[openssl-dev] id-kp-OCSPSigning extended key usage
Mischa Salle
mischa.salle at gmail.com
Tue Sep 12 12:26:53 UTC 2017
Hi,
On Tue, Sep 12, 2017 at 2:46 AM, Winter Mute <zshrdlu at gmail.com> wrote:
> Hello,
> The RFC <https://tools.ietf.org/html/rfc6960#section-4.2.2.2> states that:
>
>> OCSP signing delegation SHALL be designated by the inclusion of
>> id-kp-OCSPSigning in an extended key usage certificate extension
>> included in the OCSP response signer's certificate.
>
> The use of "SHALL" rather than "MUST" indicates that this recommendation
> can be ignored.
>
SHALL is equivalent to MUST, see RFC2119:
.... MUST This word, or the terms "REQUIRED" or "SHALL"...
I think you're thinking of SHOULD.
Cheers,
Mischa
How does openssl handle OCSP responses signed by certificates that do not
> have id-kp-OCSPSigning in the extended key usage certificate extension
> when the responses are not signed by the issuing CA directly?
> What informs this decision/policy?
> Are there any security implications in including or excluding OCSP-sign in
> the extended key usage extension?
>
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170912/050a19a2/attachment.html>
More information about the openssl-dev
mailing list