Am 24.02.15 um 14:47 schrieb Dr. Stephen Henson:
If the responder root CA is set to be trusted for OCSP signing then it can be used to sign OCSP responses for any certificate (aka a global responder). This comes under:1. Matches a local configuration of OCSP signing authority for the certificate in question or alternatively: Additional acceptance or rejection criteria may apply to either the response itself or to the certificate used to validate the signature on the response. from RFC2560 et al. If the -no_explicit flag is set or OCSP_NOEXPLICIT is set then this behaviour is disabled.
Do I understand it correctly then that "a local configuration of OCSP signing authority" here means that it is a deliberate choice inside OpenSSL itself to look for the OCSPSigning flag in the extended key usage of the root CA, although RFC 2560 does not say so?
-- Stephan _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
