On 23/03/10 8:50 PM, PGNet Dev wrote: > On Tue, Mar 23, 2010 at 4:54 PM, Patrick Patterson > <ppatter...@carillonis.com> wrote: >>> where "OCSP.cert.pem" is a single-purpose cert, only for the OCSP responder. >>> >> I hope you realize that there are MANY warnings against doing this for >> other than test purposes - for one thing, the server will fall over and >> die if it encounters any sort of error at all (there is an option that >> you can give it to stop it doing that that I can't recall at the moment, >> but I still wouldn't trust it for any sort of load at all). > > Alas, I realize no such thing :-( By "doing this", what do you mean? > Running an OCSP responder, or having a single-purpose cert? > > Can you please expound a bit? > Using the openssl ocsp command to run a "production" ocsp responder.
> >>> What's the MINIMAL (Extended)KeyUsage for the cert? >>> >> Well, according to the framers of the FBCA Certificate Policy, and the >> CertiPath certificate policy (which count among them, several of the >> authors of the OCSP standards), KU for an OCSP server should be: >> >> digitalSignature, nonRepudiation >> >> with an EKU of: OCSPSigning >> >> and the OCSPNoCheck extension present (to avoid looping). > > Maybe I'm reading the wrong doc. @, > > http://www.idmanagement.gov/fpkipa/documents/CertCRLprofileForCP.pdf > "X.509 Certificate and Certificate Revocation List (CRL) Extensions > Worksheet 10: Certificate Profile for Delegated OCSP Responders" > Pg 51 > > seems to imply only required KU of 'digitalSignature'. no? Ok - then I believe that the CertiPath folks are out of date - the keyUsage I gave was from their current CP - if the FBCA folks have gone with only digitalSignature, then I'd stick with that. Patrick. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
