On Wed, Nov 08, 2006, Simon McMahon wrote: > Hi Steve, > > > Err no it doesn't it isn't part of EKU. > That's what I thought but I couldn't find "noCheck = yes" and stumbled > onto the eku method. >
That wasn't documented, though it is now :-) > When I use "extendedKeyUsage = OCSP Signing, OCSP No Check" > OpenSSL generates: > > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > X509v3 Extended Key Usage: > OCSP Signing, id-pkix-ocsp-nocheck > > So I thought this was where it goes. I also know of at least one other pki > implementation that makes this mistake. > Yes currently OpenSSL doesn't stop you doing things like that as long as the EKU string is an OID it doesn't care. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]