Salz, Rich wrote:
>
> > A bit odd but it makes sense I suppose: I wouldn't like to
> >guess as to which software will handle this properly though.
>
> Yes, that is exactly what is going on.
> It is *VERY* odd -- I'd argue it's broken.
>
I'd argue its broken too. At the very least I'd expect some other
indicator like authority key identifier in the crl-sign certificate.
Then at least it could do an unambiguous issuer+serial number or subject
key id lookup: this wouldn't cause problems with X509_LOOKUP either if
OpenSSL checked extensions and if it could lookup by issuer and serial
number in the standard dir/file methods.
The omission of these extensions violates RFC2459 anyway.
> >OpenSSL can't do this automatically at present because it ignores
> >certificate extensions and its X509_LOOKUP mechanism can only return
> >single matching certificates for a given subject name.
>
> Perhaps the easiest fix would be, if signature verification fails, see if
> there are any other certs with the same DN. Won't this be necessary when
> a CA rekeys, anyway?
>
Yes it will and so will lots of other things. Unfortunately its the way
X509_LOOKUP works thats the problem, it only returns one certificate and
changing this will break hell knows what. Besides X509_LOOKUP is on my
list of "things to overhaul" which is steadily getting larger :-(
However when a CA rekeys you'd expect some indicator of the new key
used, not just: "try everything you've got and see what happens".
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
