Netscape MANAGEMENT SYSTEM 4.5 - PLUG-IN Manual page 347

The Extended Key Usage extension must include OCSP Signing in an OCSP
responder's certificate (unless the CA signing key that signed the certificates
validated by the responder is also the OCSP signing key). The OCSP responder's
certificate must be issued directly by the CA that signs certificates the responder
will validate.
The Key Usage, Extended Key Usage, and Basic Constraints extensions act together
to define the purposes for which the certificate is intended to be used. Applications
can use these extensions to disallow the use of a certificate in inappropriate
contexts.
Table C-2 lists the uses defined by PKIX for this extension, and Table C-3 lists uses
privately defined by Microsoft or Netscape.
PKIX Extended Key Usage Extension Uses
Table C-2
Use
Server authentication
Client authentication
Code signing
Email
Timestamping
OCSP Signing
* OCSP Signing is not defined in PKIX Part 1, but in RFC 2560, "X.509 Internet
Public Key Infrastructure Online Certificate Status Protocol - OCSP."
Table C-3 Private Extended Key Usage Extension Uses
Use
Certificate trust list signing
Microsoft Server Gated
Crypto (SGC)
Microsoft Encrypted File
System
Netscape SGC
OID
1.3.6.1.5.5.7.3.1
1.3.6.1.5.5.7.3.2
1.3.6.1.5.5.7.3.3
1.3.6.1.5.5.7.3.4
1.3.6.1.5.5.7.3.8
1.3.6.1.5.5.7.3.9*
OID
1.3.6.1.4.1.311.10.3.1
1.3.6.1.4.1.311.10.3.3
1.3.6.1.4.1.311.10.3.4
2.16.840.1.113730.4.1
Appendix C
Standard X.509 v3 Certificate Extensions
Certificate and CRL Extensions 347