From: Stefan Traby <[EMAIL PROTECTED]>

stefan> Even IE 5.01 supports at least 257 levels of nested CA's (tested,
stefan> certs created by openssl after patching, the pkcs12-file was 216992
stefan> bytes large) and I guess that no standard suggests or enforces a
stefan> nesting level limit of 9. (Stupid default: As long as it's possible to
stefan> sign certs illegally (expiration time) the default limit should be higher).

I can't quite understand why such nesting depths would be useful, and
what it might have to do with illegal signing.  I'm not trying to
defend the limit of 9 levels, just curious...

stefan> I'm now really surprised that openssl works at all, I see at bugs
stefan> in frontend and backend there (honoring the fact that
stefan> X509_STORE_CTX_get_error() after X509_verify_cert() returns
stefan> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT which should be _clearly_
stefan> X509_V_ERR_CERT_CHAIN_TOO_LONG in that case).

Please send a patch?

-- 
Richard Levitte   \ Spannv�gen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \      SWEDEN       \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis                -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to