Nameconstraints; Ocspnocheck; Policyconstraints - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

nameConstraints

A.3.9. nameConstraints
A.3.9.1. OID
2.5.29.30
A.3.9.2. Criticality
PKIX Part 1 requires that this extension be marked critical.
A.3.9.3. Discussion
This extension, which can used in CA certificates only, defines a name space within which all subject
names in subsequent certificates in a certification path must be located.
A.3.10. OCSPNocheck
A.3.10.1. OID
1.3.6.1.5.5.7.48.4
A.3.10.2. Criticality
This extension should be noncritical.
A.3.10.3. Discussion
The extension is meant to be included in an OCSP signing certificate. The extension tells an OCSP
client that the signing certificate can be trusted without querying the OCSP responder (since the reply
would again be signed by the OCSP responder, and the client would again request the validity status
of the signing certificate). This extension is null-valued; its meaning is determined by its presence or
absence.
Since the presence of this extension in a certificate will cause OCSP clients to trust responses signed
with that certificate, use of this extension should be managed carefully. If the OCSP signing key is
compromised, the entire process of validating certificates in the PKI will be compromised for the
duration of the validity period of the certificate. Therefore, certificates using OCSPNocheck should be
issued with short lifetimes and be replaced frequently.
A.3.11. policyConstraints
A.3.11.1. OID
2.5.29.36
A.3.11.2. Criticality
This extension may be critical or noncritical.
435