On Thu, Oct 19, 2000 at 04:35:04PM -0400, Louis LeBlanc wrote:
> Ok, I think I get it now. The depth strictly relates to how many
> 'signings' you are removed from a root cert. I don't want to accept
> anything signed by someone who is also signed by a root cert, so I set
> my depth at 1. If I get to a root cert within that length of a cert
> chain, then I can check the root CA to see if i am going to trust it.
>
> So I set the preverify_ok to 1 if the chain isn't too long (verify_depth
> >= depth), but if there are any other errors in the verification, set it back to 0
>before returning it (in the switch statement).
The scenario you describe here is already covered by OpenSSL since version
0.9.5. A CA certificate contains a special flag. If my root CA signes my
certificate, I get a user or server certificate with this special flag
not being set. If I sign another cert with my certificate, OpenSSL flags this
as a verification error "X509_V_ERR_INVALID_CA".
So there is no need to care about the verification depth (at 0.9.5 or later;
0.9.4 did not implement these checks).
Here at TU Cottbus we now typically have certicates of three levels:
server or user cert
issued by
TU Cottbus CA (computer center)
issued by
DFN PCA (certification authority of the german science network organization)
and there is no security problem, as I trust the DFN PCA to only issue
certificate to computer centers of universities which will adhere the
the policy agreement. I don't have to care about about the verification
depth at all (I can allow more than 2), as the CA of TU Cottbus will either not
sign subordinate CAs or only for trustworthy suborganizations (which will
probably not be needed).
At TU Berlin (I used to work there some years ago and still have a lot of
friends there :-), the layering is different. They have now introduced
a layering of:
server cert
issued by
TU Berlin server CA
issued by
TU Berlin CA
issued by
DFN PCA
As you can see, it is good enough to have DFN PCA as root authority registered
and to not limit the verification depth.
> several weeks. If you are ever in the Boston Area, I owe you a beer (we
> have some decent American beers around here :)
I don't have any special plans to come to the Boston area, but I will remember
your words. (And be aware that the german type of invitation is more binding
than the american one :-)
Best regards,
Lutz
PS. That reminds me to switch from self-made (my own CA) certificates
to TU Berlin issued certificates in the near future. This service is
pretty new.
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
