Jean-Marc Desperrier wrote:Openssl ca tool is not a CA, it's a toy, it's author would be the first to confirm that.
<applause> The world would be a lot better if all the OpenSSL users knew that !
I really don't think from what I know that the OpenSSL team is the one responsible for the situation.
They never would recommend using it to issue cert for third parties, or beyond a laboratory scale.
Meanwhile even if I use a more serious tools like Netscape/iPlanet/Sun/AOL/RedHat CMS, it's still surprisingly easy to shoot yourself in the foot. You can create certs with a critical extension the product doesn't handle and just block it later when one of the generated certs is used internally, you can make a syntax error in the configuration, see no effect initially, only from that point in time, the product surprisingly blocks after three requests succesfully processed. That was in 4.7, but maybe the same bugs exists in other versions too.
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
