Description of problem:
GnuPG 2 fails to verify OCSP responses signed using a certificate without the keyUsage extension (but with extendedKeyUsage set properly to OCSP signing as required by RFC 2560). Such a certificate is used e.g. by CAcert.org. The keyUsage check as currently implemented doesn't make much sense, attached is a simple patch fixing that (applies cleanly to both gnupg2-2.0.17-1.fc15 and gnupg2-2.0.16-3.fc14).
This has been reported upstream as https://bugs.g10code.com/gnupg/issue1333 (no response yet).
Created attachment 512093 [details]