It's not immediately obvious, but enforcement of the keyUsage and other attributes is something the relying party has to do. Anything else means just trusting the signer, and that is not secure; how do you konw the signer is not cheating?
______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org