On Mon, 10 Dec 2001, Bear Giles wrote:
> > Would this be a hassle if you have a root CA with a lot of intermediate
> > signers? That means that you have to store/locate all possible intermediate
> > signers to evaluate a couple of end user certificates.
>
> This is why PKCS12 (iirc) provides a mechanism to provide intermediate
> certs with the final cert. The CA should have a suitable chain for its
> own certs, and it can return the extra certs with everything that it
> signs.
This likely applies to PKCS7 Signed structure.
> This doesn't help you when presented a naked cert by a stranger - you
> still have to locate those intermediate certs - but at that point you
> have more problems than just finding the intermediate certs. What does
> it mean to have a full cert chain if the root is a self-signed cert by
> "Bob's Bait Shop and Certificate Authority?"
Any parseable certificate presented by a strager is good enough to
use that public key to send email encrypted to *his* private key.
At least if there's no chance for man-in-the-middle.
Probably you are talking about verification that stranger is authorized
by some big guy to pay..it's completely different issue. Yes, one need
(root) certificate of that big guy and intermed certs to verify the chain.
> You could decide to ignore any cert that's not from a major CA (which
> would make the stockholders of Verisign very happy), but that misses
> the point. An individual cert by Verisign really says very little about
> the person, a cert signed by a small college for its students for
> internal use may be rock solid.
One could care about CA certificates related to his business, either
well-known or private ones used to verify access to local resources.
> On a related note, is there documentation on how to set up a "well-
> behaved" certs and PKCS12 bags? I couldn't find anything the last
> time I checked, but maybe something has come out since then.
Any problem with PKCS12 specifications published by RSA Labs?
What is "well-behaved" ?
-vf
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
