Bear Giles wrote: > > > > If it only did an I+SN match then an attacker could readily generate a > > self-signed certificate using its own key with matching I+SN. > > But a self-signed cert is easily identified and could be flagged > for special handling. By removing them from the standard population > we may be able to simplify rules for all other certs.
The self signed cert was only an example. There are other cases which could apply as well. An example would be explicit trust of an EE certificate. That isn't supported in OpenSSL yet but it will be at some point. It would however have a similar criteria: only an exact match would be acceptable. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ BusX-Mozilla-Status: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]