The configuration, as distributed by the project, *SHOULD BE* a concern of the OpenSSL team. It is incompatible with RFC 5280.
Please note that 'overspecification of authorityKeyInformation' is actually more of a problem than the current distributed configuration file believes -- Nelson Bolyard, who managed NSS for many years, has gone on record as stating that overspecification of authorityKeyIdentifier by a CA and a particular certificate's serial number leads to many, many problems (particularly when the authority, which is typically not a trust anchor but has a chain leading to a trust anchor has a more constrained lifetime than the end-entity certificate, but in other edge cases as well). I have not, however, found any technical violation of any encoding by OpenSSL. -Kyle H On Tue, Jul 13, 2010 at 7:12 PM, Massimiliano Pala <[email protected]> wrote:
Hello Kyle, can you elaborate on the quoted statement ? Since the RFC-5280 describes the profile for certificates and CRLs, how OpenSSL's generated certificates are not compatible with it? If you are referring to the configuration used, that's not really a concern of the OpenSSL's team, but if there are wrong encoding rules in the library can you point them out, please ? Cheers, Max On 07/13/2010 09:09 PM, [email protected] wrote: [...]There's also the need to ensure that the certificates that OpenSSL comes up with are compatible with X.509 and PKIX (they are *not* currently compatible with the latest version of PKIX, which is in RFC 5280; it's[...] -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] [email protected] [email protected] Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332 PKI/Trust Laboratory Work Phone: +1 (603) 646-8734 --o------------------------------------------------------------------------ People who think they know everything are a great annoyance to those of us who do. -- Isaac Asimov
smime.p7s
Description: S/MIME Cryptographic Signature
