On Tue, Mar 23, 2010, PGNet Dev wrote: > hi, > > On Tue, Mar 23, 2010 at 4:56 PM, Dr. Stephen Henson <st...@openssl.org> wrote: > >> Which, if any/all, of the "Digital Signature, Non Repudiation, Key > >> Encipherment" KeyUsage specifications are required, if this cert will > >> be used ONLY for/by the OCSP responder daemon? > >> > > > > Well Key Encipherment is not required and there's the usual can of worms > > associated with the NR bit. I'd say just digital signature is sufficient. > > Thanks. > > Not sure what the "usual can of worms" refers to; worth a bit of > digging, I suppose. >
If you aren't sorry you did you might be the first person who isn't. Just warning you... > Also, in an OCSP cert's 'type', > > nsCertType = server, client, objsign > > Is client really necessary? Server & Objsign I can understand ... or, > is it similar to SMTP where there exist both server & client > components? > It's a deprecated extension from long ago. Best leave it out all together. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
