That's me told then, so to authenticate a certificate you need the whole "chain" of certs going from the cert to authenticate all the way to a trusted CA.
The application I am writing is presented with certs to authenicate from an external source, and the configuration has to hold a "pool" of trusted certs so you can check the certificates presented. It appears that this "pool" has to basically have every possible signer in it. I was kind of hoping that I could get away with only a couple of trusted CA's; and traverse the certificate hierarchy to these roots. Hold on, I can't do that because without the intermediate signer certs how can I figure out who signed them? Got it now. Tat. > > > Would this be a hassle if you have a root CA with a lot of > intermediate > > > signers? That means that you have to store/locate all > possible intermediate > > > signers to evaluate a couple of end user certificates. > > > > This is why PKCS12 (iirc) provides a mechanism to provide intermediate > > certs with the final cert. The CA should have a suitable chain for its > > own certs, and it can return the extra certs with everything that it > > signs. > > This likely applies to PKCS7 Signed structure. > > > This doesn't help you when presented a naked cert by a stranger - you > > still have to locate those intermediate certs - but at that point you > > have more problems than just finding the intermediate certs. What does > > it mean to have a full cert chain if the root is a self-signed cert by > > "Bob's Bait Shop and Certificate Authority?" > > Any parseable certificate presented by a strager is good enough to > use that public key to send email encrypted to *his* private key. > At least if there's no chance for man-in-the-middle. > > Probably you are talking about verification that stranger is authorized > by some big guy to pay..it's completely different issue. Yes, one need > (root) certificate of that big guy and intermed certs to verify the chain. > > > You could decide to ignore any cert that's not from a major CA (which > > would make the stockholders of Verisign very happy), but that misses > > the point. An individual cert by Verisign really says very little about > > the person, a cert signed by a small college for its students for > > internal use may be rock solid. > > One could care about CA certificates related to his business, either > well-known or private ones used to verify access to local resources. > > > On a related note, is there documentation on how to set up a "well- > > behaved" certs and PKCS12 bags? I couldn't find anything the last > > time I checked, but maybe something has come out since then. > > Any problem with PKCS12 specifications published by RSA Labs? > What is "well-behaved" ? > > -vf ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]