Bear Giles wrote:
> 
> 
> > If it only did an I+SN match then an attacker could readily generate a
> > self-signed certificate using its own key with matching I+SN.
> 
> But a self-signed cert is easily identified and could be flagged
> for special handling.  By removing them from the standard population
> we may be able to simplify rules for all other certs.

The self signed cert was only an example. There are other cases which
could apply as well. An example would be explicit trust of an EE
certificate. That isn't supported in OpenSSL yet but it will be at some
point. It would however have a similar criteria: only an exact match
would be acceptable.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
BusX-Mozilla-Status: [EMAIL PROTECTED] PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to