Re: [STATUS] OpenSSL (Sun 28-Nov-1999)

Wed, 1 Dec 1999 08:14:35 -0800 

Hi:

I believe you have the wrong "Jean" at SCO.  I'm in Finance and quite
frankly, I don't understand this email chain at all!  Please review the
addresses under your alias.

I've also cc'd all of the 'jeans" at SCO in the hopes this belongs to one
of them and they can let you know the correct "jean" address.

Take care,

Jean

At 02:56 AM 11/30/99 +0000, you wrote:
>Yunhong Li wrote:
>> 
>> >     o Steve is currently working on (in no particular order):
>> >        Proper (or at least usable) certificate chain verification.
>> 
>> I thought this is already working in 0.9.4.
>> SSL_CTX_use_certificate_chain_file
>> will load the cert chain for server cert chain. SSL_CTX_set_verify and
>> SSL_CTX_set_default_verify_paths will verify the client cert chain. What I
>> am
>> missing?
>> 
>
>Chain verification is when you have a certificate chain and want to
>verify it. 
>
>Currently the only safe way to verify things is to keep everything but
>the end user ("leaf") certificate locally and don't take any notice of
>any untrusted CA certificates passed in. This is done in several ways at
>an application level. Even then you could still do things like use
>client certificates as servers and other similar problems.
>
>Proper chain verification checks the certificates can be used for the
>purpose you are trying to use them for and verifies the untrusted CA
>certificates really are CA certificates.
>
>Put briefly it involves doing various consistency checks on the
>extensions of the certificates and including various work arounds so the
>various broken certificates still work.
>
>Getting this going needed a lot of work. It's present in the latest
>snapshot but still needs extensive testing. The real test I suspect will
>be when OpenSSL 0.9.5 gets released...
>
>Steve.
>-- 
>Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
>Personal Email: [EMAIL PROTECTED] 
>Senior crypto engineer, Celo Communications: http://www.celocom.com/
>Core developer of the   OpenSSL project: http://www.openssl.org/
>Business Email: [EMAIL PROTECTED] PGP key: via homepage.
>
>
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>Development Mailing List                       [EMAIL PROTECTED]
>Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to