In message <[EMAIL PROTECTED]> on Wed, 31 Mar 2004 11:23:29 +0200 (METDST), "Simon Josefsson via RT" <[EMAIL PROTECTED]> said:
rt> rt> "Richard Levitte via RT" <[EMAIL PROTECTED]> writes: rt> rt> > I'm honestly very unsure about this one. After all, "openssl ca" rt> > already covers this, so I wonder why there's a need to create another rt> > way to do the same thing, and add to the confusion on how to do things.. rt> > . rt> rt> How would you use "openssl ca" to do the same? Wouldn't it change rt> fields in signed certificate, or at least require that the CA key used rt> to sign correspond to the issuer in the certificate to be signed? As rt> far as I understood, the RT thread only indicate "openssl ca" has the rt> same poor security as -noselfsign imply (in that it makes it possible rt> for the user to sign certificates without POP), not that "openssl ca" rt> can do the same operation. What I understood was that you wanted to be able to sign a certificate (I call i A from now on) using a CA that doesn't have a root certificate. That is perfectly possible to do with "openssl ca", provided you give it that CA's certificate and key. Of course, in preparation, you should create a certificate request (called reqA) from certificate A. And yes, of course the newly signed signed certificate (A') will have new and possibly changed extensions. That's within normal CA operations, I believe. rt> That said, I'm not using OpenSSL today, so I don't have a real rt> interest in the patch. If you believe it doesn't add value, I won't rt> pursue the matter further. OK. Well, if you can comment on what I said above, I'll ponder it a little more and decide on my own from there. Sounds like a deal? ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 52 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-708-26 53 44 \ SWEDEN \ Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]