Hello, The RFC <https://tools.ietf.org/html/rfc6960#section-4.2.2.2> states that:
> OCSP signing delegation SHALL be designated by the inclusion of > id-kp-OCSPSigning in an extended key usage certificate extension > included in the OCSP response signer's certificate. The use of "SHALL" rather than "MUST" indicates that this recommendation can be ignored. How does openssl handle OCSP responses signed by certificates that do not have id-kp-OCSPSigning in the extended key usage certificate extension when the responses are not signed by the issuing CA directly? What informs this decision/policy? Are there any security implications in including or excluding OCSP-sign in the extended key usage extension?
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev