Dr S N Henson wrote: > > Bear Giles wrote: > > > > > > > If it only did an I+SN match then an attacker could readily generate a > > > self-signed certificate using its own key with matching I+SN. > > > > But a self-signed cert is easily identified and could be flagged > > for special handling. By removing them from the standard population > > we may be able to simplify rules for all other certs. > > The self signed cert was only an example. There are other cases which > could apply as well. An example would be explicit trust of an EE > certificate. That isn't supported in OpenSSL yet but it will be at some > point. It would however have a similar criteria: only an exact match > would be acceptable.
I believe this is supported (by writing appropriate callbacks) - I'm sure I remember doing it at some point. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
