On Thu, Nov 28, 2013, Erwann Abalea wrote: > How nice, they're asking for a self-signed certificate to include a > specific EKU to indicate it's a Trust Anchor, and the OID used for > this has never been allocated. Crazy. > > I just looked at OpenSSL's objects.txt database, and found some OIDs > that need some change: > > id-pkix-OCSP 8 : extendedStatus : Extended OCSP Status > should be "id-pkix-ocsp-pref-sig-algs" (RFC6960). > > id-pkix-OCSP 9 : valid > should be id-pkix-ocsp-extended-revoke (RFC6960). > > id-pkix-OCSP 10 : path > id-pkix-OCSP 11 : trustRoot : Trust Root > have never been defined by PKIX. >
Weird.. I checked the OpenSSL OID history and those have been about since the dawn of time... well July 2000 at any rate. They were added by Richard when he created the scripts that handle objects.txt, no idea where they actually came from. Changing OIDs in the table is problematical. If anything uses them it could break them in all sorts of ways. The NID_* entries would change and text based lookup would no longer work. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org