In message <[EMAIL PROTECTED]> on Thu, 18 Nov 2004 20:14:04 +0100, "Dr. Stephen Henson" <[EMAIL PROTECTED]> said:
steve> I'll check it through more thoroughly. If you never get that steve> new error code then I agree there wont be any incompatibility steve> on that basis. ... unless you're hit with proxy certificates, when I'm done with that project. However, that's an entirely new situation, which doesn't work at all with OpenSSL as it currently is, so I doubt anyone will complain when that part would start to work *better* :-). steve> That leaves two cases based on my current understanding of the steve> patch [subject to change when I've scanned it further :-)] . steve> steve> One is applications that expect the lack of CA checking when steve> they set no purpose, another is customized purpose checking steve> where someone defines their own purpose with its own overrides. steve> I don't *think* many applications do either but they would be steve> broken by the change as I understand it. I'm going as far as thinking it's a BUG not to check for the CA settings just because there's no purpose set. I also think it's a BUG not to check if there are unsupported critical extensions in the certificate. I also think it's a BUG not to check the path length. Furthermore, I think it's a BUG to only look at the CA settings in conjuction with certain extensions (those corresponding to purposes) instead of separating the two. The check of unsupported critical extensions, the purpose (and thereby CA) check and the path length check are all done in check_chain_purpose() (which, not so incidently, I renamed to check_chain_extensions, as that's what it really does), which would only be called when there's a purpose setting. I don't think there's a reasonable excuse to perpetuate those bugs. Cheers, Richard ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]