Ren� G. Eberhard wrote:
>
> Hi
>
> I really like this status mail.
>
> > o Steve is currently working on (in no particular order):
> > Proper (or at least usable) certificate chain verification.
> How do you do that? Is there a requirement spec in the archive?
> I think I'm not the only one who is interested in that.
>
Well the current code can check chains cryptographically. What it
doesn't do is check the extensions with the unfortunate side effect that
anyone can pretend to be a CA: so chain verification isn't usually done.
A must have check would be that the CA certificates really were CA
certificates: and, since its the same extension, pathlength checking
could be lumped in too and possibly some minimal keyUsage checks. This
isn't too hard to do and wouldn't affect too much (if any) of the
existing code.
Proper chain verification probably needs a database of certificates and
CRLs with trust settings. However there is a set of dependencies here...
1. RSA_METHOD, DSA_METHOD, DH_METHOD and fixing existing code.
2. EVP_METHOD and revision of EVP code.
3. Certificate and CRL database API with trust settings.
4. Proper chain verify: including overhaul of the verify interface.
Of these the first is approaching completion...
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
