>Yes, you can't use an end user certificate as a CA (well there was this
>one broken one you could...) with most software because it isn't marked
>as being a valid CA. Either by having the CA flag set to FALSE in
>basicConstraints or implicitly because basicConstraints is absent and
>probably not having the right keyUsage bits set either.
The implied real question is how you can tell an end entity (EE) cert from a
CA cert. :)
>I believe Verisign has certified some US banks to issue their own global
>server IDs by siging a CA certificate with their global server root, and
>with suitable path length protection.
I don't think that helps. In order to do be a "step-up CA" you have to get
the browsers to have that CA pre-loaded. Will, for Netscape you can do a
binary
patch on the certstore (as documented in mod_ssl), but there is no
equivalent
for IE. It's possible a bank could get a custom version of IE through their
links to MS, but I doubt they'd be willing/able to roll that out to their
customers.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
