[openssl-dev] id-kp-OCSPSigning extended key usage
Erwann Abalea
Erwann.Abalea at docusign.com
Tue Sep 12 11:59:36 UTC 2017
Bonjour,
SHALL is not equivalent to a SHOULD, but to a MUST. See RFC2119.
Cordialement,
Erwann Abalea
Le 12 sept. 2017 à 02:46, Winter Mute <zshrdlu at gmail.com<mailto:zshrdlu at gmail.com>> a écrit :
Hello,
The RFC<https://tools.ietf.org/html/rfc6960#section-4.2.2.2> states that:
OCSP signing delegation SHALL be designated by the inclusion of
id-kp-OCSPSigning in an extended key usage certificate extension
included in the OCSP response signer's certificate.
The use of "SHALL" rather than "MUST" indicates that this recommendation can be ignored.
How does openssl handle OCSP responses signed by certificates that do not have id-kp-OCSPSigning in the extended key usage certificate extension when the responses are not signed by the issuing CA directly?
What informs this decision/policy?
Are there any security implications in including or excluding OCSP-sign in the extended key usage extension?
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170912/f054ee98/attachment.html>
More information about the openssl-dev
mailing list