> You can do this via the authority information access extension. The
> format is undocumented but something like:
>
> authorityInfoAccess= OCSP;URI:http//some.oscp.server/whatever/path
Dear Steve:
Do you have the object identifers for this? Do you know of any sources
of info I can look at about this extension. I can't find any mention
of it in RFC 2560. It is required in the root CA certs or will it
work with it only added into the issued certs signed by the CA (so
that the root CA certs don't need any OCSP extensions).
> However if you do this and you never run an OCSP server this is
> obviously a bad idea.
Netscape doesn't support it yet, and it will be turned off by default
in Mozilla 6.0. So we have time to fully impliment OCSP by the time
Netscape puts out future releases with OCSP on by default.
Besides, might it be possible to specify OCSP support in the
individual issued certs signed by the CA? So that software using
those issued certs signed by OSCP root CA certs, will only contact
an OCSP server depending only whether the apropriate extensions are
within the issued certs signed by those CA's.
Thanks in advance.
Alicia.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
