On 06/30/2014 05:14 PM, Rich Salz via RT wrote: > It's not immediately obvious, but enforcement of the keyUsage and other > attributes is something the relying party has to do. Anything else means just > trusting the signer, and that is not secure; how do you konw the signer is not > cheating?
I agree with Rich that the primary requirement is on the relying party.
But OpenSSL's user-facing tools for operating a CA can also be made to
be more user-friendly, to avoid creating a CRL (or other data structure)
by default that reasonable relying parties will automatically reject.
The ability to override this default restriction would be nice too (for
those signers who actually *want* to "cheat", or for the creation of
test suite material, etc, though that could be done with modified source
code for the folks who have these special needs.
I think #1210 should be reopened.
--dkg
signature.asc
Description: PGP signature
