On Wed, Feb 18, 2015, Stephan M?hlstrasser wrote: > > What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using > the "-no_explicit" command line option. What exactly is checked by > the X509_check_trust() call above with respect to the relevant RFCs? > If the responder root CA is set to be trusted for OCSP signing then it can be used to sign OCSP responses for any certificate (aka a global responder). This comes under: 1. Matches a local configuration of OCSP signing authority for the certificate in question or alternatively: Additional acceptance or rejection criteria may apply to either the response itself or to the certificate used to validate the signature on the response. from RFC2560 et al. If the -no_explicit flag is set or OCSP_NOEXPLICIT is set then this behaviour is disabled. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
