Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual page 738

Standard X.509 v3 Certificate Extensions
Discussion
This extension, which can used in CA certificates only, defines a name space within which
all subject names in subsequent certificates in a certification path must be located.
CS Version Support
Supported since CS 4.2. Refer to "NameConstraintsExt" on page 519.
OCSPNocheck
OID
1.3.6.1.5.5.7.48.4
Criticality
This extension should be noncritical.
Discussion
The extension is meant to be included in an OCSP responder's signing certificate. The
extension tells an OCSP client that the signing certificate can be trusted without querying
the OCSP responder (since the reply would again be signed by the OCSP responder, and the
client would again request the validity status of the signing certificate). This extension is
null-valued: its meaning is determined by its presence or absence.
Since the presence of this extension in a certificate will cause OCSP clients to trust
responses signed with that certificate, use of this extension should be managed carefully. If
the OCSP signing key is compromised, the entire process of validating certificates in the
PKI will be compromised for the duration of the validity period of the certificate. Therefore,
certificates using
frequently.
CS Version Support
Supported since CS 4.2. Refer to "OCSPNoCheckExt" on page 530.
policyConstraints
OID
2.5.29.36
Criticality
This extension may be critical or noncritical.
738 Red Hat Certificate System Administrator's Guide • September 2005
should be issued with short lifetimes and be renewed
OCSPNocheck