István Zsolt BERTA wrote: > [...] > We had good reasons to choose this solution. According to Hungarian > regulations, a qualified CA is allowed to use its private key for the > following two purposes only: > * signing qualified end-user certificates and > * signing CRLs. > As neither 'signing OCSP responses', nor 'singing OCSP responder > certificates' is listed here, we were not allowed to support options 1 > and 3 marked in RFC 2560, so only option 2 remained.
How does the Hungarian regulation define the CA ? In X509, a CA is defined by it's Distinguished Name, so can have several certificates with several private key. So according to X509, your CA can have both : - a qualified certificate and associated private key that can only sign end-user certificates and CRLs. - another non-qualified certificate that signs OCSP response If your OCSP Responder cert has the same DN as your CA cert and is also signed by your Root CA, it should be recognized another cert issued for the same CA and trusted according to option 1 of RFC2560. Unfortunatly, I never had the opportunity to check how this specific case is handled by NSS :-) _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
