Because "OCSP signing Certificate" shows only once in entire BR, only requirement for them are having id-kp-OCSPSigning and id-pkix-ocsp-nocheck. this doesn't fit anywhere in current requirement: this isn't CA certificate nor subscriber certificate by itself, although ocsp signing role technically added into any of them as BR 7.1.2's extkeyusege limit is 'SHOULD NOT' for this key usage. if we consider this type of certificate isn't a CA, can they be sit outside of HSM and use full CPU power to sign OCSP, which may benefit high volume CAs this may not that dangerous as it sounds if its lifetime is short enough, like a week or 3 days.
-- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/418245b6-5ada-4dcf-acb5-98bf60b49dfdn%40mozilla.org.
