> Would this be a hassle if you have a root CA with a lot of intermediate > signers? That means that you have to store/locate all possible intermediate > signers to evaluate a couple of end user certificates.
This is why PKCS12 (iirc) provides a mechanism to provide intermediate certs with the final cert. The CA should have a suitable chain for its own certs, and it can return the extra certs with everything that it signs. This doesn't help you when presented a naked cert by a stranger - you still have to locate those intermediate certs - but at that point you have more problems than just finding the intermediate certs. What does it mean to have a full cert chain if the root is a self-signed cert by "Bob's Bait Shop and Certificate Authority?" You could decide to ignore any cert that's not from a major CA (which would make the stockholders of Verisign very happy), but that misses the point. An individual cert by Verisign really says very little about the person, a cert signed by a small college for its students for internal use may be rock solid. On a related note, is there documentation on how to set up a "well- behaved" certs and PKCS12 bags? I couldn't find anything the last time I checked, but maybe something has come out since then. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
