[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CA=True for an OCSP certficat
Steve,
I agree with you the time stamp server.
But, under RFC 2560, one of the model is for the CA (and I interpret
that to mean using the same key that signed the certificate whose
revocation status is being checked) to sign the OCSP response. Hence
CA certificate signing key can be used for OCSP signing.
-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
On Behalf Of Stephen Kent
Sent: Wednesday, April 02, 2008 7:23 PM
To: Peter Sylvester
Cc: pkix
Subject: Re: CA=True for an OCSP certficat
Peter,
I expect the CA flag to be set to TRUE only in a cert used to
validate signatures on other certs, and/or signatures on CRLs.
A cert for an EE contains no basic constraints extension, or one in
which the CA flag is FALSE.
A cert issued to a service run by a CA, such as OCSP server or a time
stamp server is not CA cert, but an EE cert, i.e., it is used to
verify signatures on objects others than certs or CRLs, and thus it
MUST not have the CA flag set TRUE.
Steve