Salz, Rich wrote:
>
> >I'm afraid I can't follow you here. Even assuming that we know
> >exactly how the CA computes its key identifier, certificates without
> >an AKI don't give us the slightest hint which CA key we should hash.
>
> Right. :)
>
> Which is why "finding the CA who signed this" is a hard problem.
Yes it is indeed. There are all manner of things that can cause trouble
if something weird (but legal) happens. For example the current lookup
API can only return at most one certificate: there are circumstances
where this can be a problem.
There's also the issue that OpenSSL API currently just says "verify this
certificate" whereas there should be a "certificate purpose" parameter
as well so it can, say, "verify for SSL server use" etc.
Then there's the lack of proper chain verification... i.e. being able to
check an untrusted chain ending in a trusted root without assuming any
certificate can be a CA :-(
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
