[openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()
Stephan Mühlstrasser
stm at pdflib.com
Tue Feb 24 16:00:54 UTC 2015
Am 24.02.15 um 14:47 schrieb Dr. Stephen Henson:
> If the responder root CA is set to be trusted for OCSP signing then it can be
> used to sign OCSP responses for any certificate (aka a global responder). This
> comes under:
>
> 1. Matches a local configuration of OCSP signing authority for the
> certificate in question
>
> or alternatively:
>
> Additional acceptance or rejection criteria may apply to either the
> response itself or to the certificate used to validate the signature
> on the response.
>
> from RFC2560 et al.
>
> If the -no_explicit flag is set or OCSP_NOEXPLICIT is set then this behaviour
> is disabled.
>
Do I understand it correctly then that "a local configuration of OCSP
signing authority" here means that it is a deliberate choice inside
OpenSSL itself to look for the OCSPSigning flag in the extended key
usage of the root CA, although RFC 2560 does not say so?
--
Stephan
More information about the openssl-users
mailing list