On Thu, 20 Nov 2003, Dr. Stephen Henson wrote: > Cert1 has keyUsage keyCertSign set. Its issuer and subject names are > identical. > > Cert2 includes keyUsage and does *not* have keyCertSign set. Its issuer and > subject names are identical *and* identical to Cert1. > > The two certificates have different keys. > > That test is needed to correctly verify the chain as Cert1->Cert2.
Fair enough. What about checking the basicConstraints? All CAs must have this extension according to RFC2459, and by inference cA must be set to true. Therefore if the issuer is the same as the subject, then the basicContraints may be missing or cA set to false, and the keyUsage keyCertSign can be missing. If the issuer != subject, then basicContraints must be present and cA set to true. Given the scenario you describe above, the issuer/subject comparison will have to be done by digesting the cert or public key. Of course, this is providing that such a self-signed certificate is permissible by RFC2459 in the first place, - DR ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
