> Check out the docs in the latest snapshot, particularly the verify and
> x509 commands. They explain how things operate in the snapshot and
> pretty much how 0.9.5 will do things.
Thanks. Think I can find the time somewhere this week :) When the
organisational reshuffles are over and I'm still working on our CA I'll dive
into the code someday. Until then I'm affraid I'm just an ordinary user
that needs documentation....
> That wont happen in 0.9.5. Instead I've concentrated on the fixing the
> worst security problems of CA masquerading and lack of trust settings.
Now you make me wonder, but I'll ask after reading the snapshot docs.
> Having said that I haven't come across a case where the authority and
> subject key lookup is actually required because the basic subject lookup
> fails to yield the correct certificate. I know its easy to construct
> such things but I mean "real world" examples. No doubt I'll now get sent
> several...
You could have a point here. I was fooling around with a test certificate
that is signed by our root CA (the SURFnet PCA). With this test-certificate
I signed client certs and I had problems verifying the client certs. The
troubles went away after including the PCA certificate in the chain (which
basically tells me openssl does not trust anything unless the final root CA
cert is included. Think I could argue this reasoning ;). Basically our CA
will always put the correct subject line into a client/server cert, as will
the PCA (in a CA's cert). I think it all depends on how the actual clients
and servers handle chain-checking when deciding what might be usefull for
the Openssl verify function to act like.
I tried to use it when something failed with my netscape browser, and since
that is a pretty closed environment I went to openssl for help. There's the
history of my initial question. Thanks for the answer, I'll have a look at
the docs :)
Jan
--
alive=true
S/MIME Cryptographic Signature
