Understood, this indeed is the case. Is it a violation of good practice, RFC? What are the security risks? -- Konrads Smelkovs Applied IT sorcery.
On Tue, Mar 23, 2010 at 7:44 PM, Dr. Stephen Henson <st...@openssl.org>wrote: > On Tue, Mar 23, 2010, Konrads Smelkovs wrote: > > > Hi, > > The OCSP responder has EKU=OCSP: > > > > X509v3 extensions: > > X509v3 Subject Key Identifier: > > > 2B:6E:08:08:9D:92:5A:59:CB:BB:46:89:77:E8:A0:17:47:82:88:5C > > X509v3 Extended Key Usage: > > OCSP > > X509v3 Key Usage: > > Digital Signature, Non Repudiation > > X509v3 Authority Key Identifier: > > > > keyid:CC:C3:F5:66:FF:73:AC:38:5A:96:1B:21:89:B8:81:4C:1F:CB:5E:25 > > I attached OCSP cert. I believe this is setup #2 you described. > > It also has to be signed by the same CAs as the certificates it covers, a > CA > certificate higher up the chain is not permitted in that case. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
