On Mon, Nov 28, 2005, Stefan Vatev wrote: > > Another question bothering me what is written in the ocsp > documentation. This is done when all other verification > checks failed: > " > Otherwise the root CA of the OCSP responders CA is checked > to see if it is trusted for OCSP signing. If it is the OCSP > verify succeeds. > " > > My question is whether this check is openssl-specific or is > RFC-based, because I've been searching for it in RFC2560 > with no success. >
This is covered by 2.2 and the possibility of "a Trusted Responder whose public key is trusted by the requester". The RFC leaves the criteria under which the public key will be trusted by the requester open. It is one way under which a "global responder" can be trusted. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]