Hi,
I've been looking around and can't see an answer to this, but if one
exists, please point me to it rather than posting again...
I have been playing with certificate chaining (signing certs that are
signed by a certificate signed by a certificate signed by ... a
self-signed certificate) and have got OpenSSL working with a chain by
supplying all the certificates to the code doing the verifying (eg by
placing them all in the CA certificate file - I could also have used the
hashed directory methods).
However, it seems to me that it would be better if the verifier had only
the root CA certificate, and the verifiee supplied not just its
certificate, but the intermediate certs in the chain. In this way, the
verifier would not need updating if intermediate certs changed (the
verifiee would have to get new certs anyway, if an intermediate cert was
revoked). Is this possible? And if not, is there a good reason why not
(like it's a gaping security hole)?
Thanks,
Andrew
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
