[openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()
Dr. Stephen Henson
steve at openssl.org
Tue Feb 24 13:47:28 UTC 2015
On Wed, Feb 18, 2015, Stephan M?hlstrasser wrote:
> What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using
> the "-no_explicit" command line option. What exactly is checked by
> the X509_check_trust() call above with respect to the relevant RFCs?
If the responder root CA is set to be trusted for OCSP signing then it can be
used to sign OCSP responses for any certificate (aka a global responder). This
1. Matches a local configuration of OCSP signing authority for the
certificate in question
Additional acceptance or rejection criteria may apply to either the
response itself or to the certificate used to validate the signature
on the response.
from RFC2560 et al.
If the -no_explicit flag is set or OCSP_NOEXPLICIT is set then this behaviour
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users