Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual page 731

Standard X.509 v3 Certificate Extensions
Criticality
This extension should be noncritical.
Discussion
The extension is meant to be included in an OCSP responder's signing certificate.
The extension tells an OCSP client that the signing certificate can be trusted
without querying the OCSP responder (since the reply would again be signed by
the OCSP responder, and the client would again request the validity status of the
signing certificate). This extension is null-valued: its meaning is determined by its
presence or absence.
Since the presence of this extension in a certificate will cause OCSP clients to trust
responses signed with that certificate, use of this extension should be managed
carefully. If the OCSP signing key is compromised, the entire process of validating
certificates in the PKI will be compromised for the duration of the validity period
of the certificate. Therefore, certificates using should be issued with
OCSPNocheck
short lifetimes and be renewed frequently.
CMS Version Support
Supported since CMS 4.2. Refer to "OCSPNoCheckExt" on page 552.
policyConstraints
OID
2.5.29.36
Criticality
This extension may be critical or noncritical.
Discussion
This extension, which is for CA certificates only, constrains path validation in two
ways. It can be used to prohibit policy mapping or to require that each certificate in
a path contain an acceptable policy identifier.
PKIX requires that, if present, this extension must never consist of a null sequence.
At least one of the two available fields must be present.
CMS Version Support
Supported since CMS 4.2. Refer to "PolicyConstraintsExt" on page 553.
policyMappings
OID
2.5.29.33
Appendix G Certificate and CRL Extensions 731