[openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

Dr. Stephen Henson steve at openssl.org
Tue Feb 24 13:47:28 UTC 2015

On Wed, Feb 18, 2015, Stephan M?hlstrasser wrote:

> What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using
> the "-no_explicit" command line option. What exactly is checked by
> the X509_check_trust() call above with respect to the relevant RFCs?

If the responder root CA is set to be trusted for OCSP signing then it can be
used to sign OCSP responses for any certificate (aka a global responder). This
comes under:

   1. Matches a local configuration of OCSP signing authority for the
   certificate in question

or alternatively:

   Additional acceptance or rejection criteria may apply to either the
   response itself or to the certificate used to validate the signature
   on the response.

from RFC2560 et al.

If the -no_explicit flag is set or OCSP_NOEXPLICIT is set then this behaviour
is disabled.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list