Am 24.02.15 um 14:47 schrieb Dr. Stephen Henson: > If the responder root CA is set to be trusted for OCSP signing then it can be > used to sign OCSP responses for any certificate (aka a global responder). This > comes under: > > 1. Matches a local configuration of OCSP signing authority for the > certificate in question > > or alternatively: > > Additional acceptance or rejection criteria may apply to either the > response itself or to the certificate used to validate the signature > on the response. > > from RFC2560 et al. > > If the -no_explicit flag is set or OCSP_NOEXPLICIT is set then this behaviour > is disabled. > Do I understand it correctly then that "a local configuration of OCSP signing authority" here means that it is a deliberate choice inside OpenSSL itself to look for the OCSPSigning flag in the extended key usage of the root CA, although RFC 2560 does not say so? -- Stephan
