Richard Levitte - VMS Whacker wrote:
> I definitely do *not* want to have to tell OpenSSL that I trust the CA
> of my "Trusted Responder" certificate, because that might imply that I
> trust any certificate that CA has produced.
Precisely, and that's why we have the key usage extensions. You wouldn't
necessarily want to trust this certificate to sign anything but OCSP
responses.
> What you seem to talk about is the "CA Designated Responder"
> certificate, which is a completely different story.
I don't think so. The CA designated responder, IIRC, is one where the
responder gets his public key signed by the CA in question (thus
"designated") in order to prove that he is trusted to respond to these
queries.
//oscar
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
