Harald Koch wrote: > [pkix quote deleted] > > Any thoughts on how to go about adding support for separate CA > certificates for certs and CRLs to the existing OpenSSL certificate > verifier? >
I've been meaning to look through the pkix CRL stuff to see how this lot works in practice. The last time I looked I wasn't sure what (if anything) restricted the CRL signing certificates path when compared to the CA certificate. For example if you trust two root CAs A and B you don't want B to be able to sign CRLs for A without some authorisation from A (e.g. a CRL signing certificate chaining to A). Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
