Hi,
On Tue, Sep 12, 2017 at 2:46 AM, Winter Mute <zshr...@gmail.com> wrote: > Hello, > The RFC <https://tools.ietf.org/html/rfc6960#section-4.2.2.2> states that: > >> OCSP signing delegation SHALL be designated by the inclusion of >> id-kp-OCSPSigning in an extended key usage certificate extension >> included in the OCSP response signer's certificate. > > The use of "SHALL" rather than "MUST" indicates that this recommendation > can be ignored. > SHALL is equivalent to MUST, see RFC2119: .... MUST This word, or the terms "REQUIRED" or "SHALL"... I think you're thinking of SHOULD. Cheers, Mischa How does openssl handle OCSP responses signed by certificates that do not > have id-kp-OCSPSigning in the extended key usage certificate extension > when the responses are not signed by the issuing CA directly? > What informs this decision/policy? > Are there any security implications in including or excluding OCSP-sign in > the extended key usage extension? > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > >
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev