Am 18.02.15 um 13:19 schrieb Stephan M?hlstrasser: > > Unfortunately the "-no_explicit" command line option is not documented: > > https://www.openssl.org/docs/apps/ocsp.html > > What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using the > "-no_explicit" command line option. What exactly is checked by the > X509_check_trust() call above with respect to the relevant RFCs? > As there is no documentation and as noone seems to know the meaning of the -no_explicit for "openssl ocsp", should I file a documentation defect in RT for that? If I understand the code in OCSP_basic_verify() that is depending on the OCSP_NOEXPLICIT flag correctly, it checks the root CA for the presence of the OCSPSigning flag in the extended key usage field. I could not find anything in RFC 6960 and RFC 2560 that would mandate such a check for the root CA certificate. Only the OCSP signing certificate must have OCSPSigning in the extended key usage field. So maybe it is even a bug in the code itself? -- Stephan
