> By definition, a "root cert" is one where the issuer is also the signer. > How you determine issuer===signer can be problematic (insert various > Gutman data here :), but most software probably compares DN's.
I might not have been clear on this - the table is intended to be used as the "cert store" for certs issued by the CA, not a general purpose cert store. The CA has complete control over everything that goes into the table, and will include a bunch of companion java servlets that query the database. (Think nsRevocationUrl and the like, or similiar PKIX lookup functions.) If the database has strong integrity checks, the servlets can be thin. Anyway, my current test for a "root cert" has been whether X509_verify(cert, X509_get_pubkey(cert)) (or "x509_verify(x,x)" in the PostgreSQL binding) returns true. I originally planned to compare keyids, but have decided to just cache the results of this test instead. I've been ignoring the subject and issuer DNs for now from the assumption that an attacker could exploit any difference in how I recognize root certs (self-signature or subject/issuer DN) to slip in some bad certs. But this is an exercise in futility unless the cert chains will be acceptable to others, hence the questions. > If your > libpkixpg functions generate the keyid if not present, then your schema > looks correct. Nope, if the keyid is absent you get a null. But this isn't an issue since my signing code always adds the keyids. > A more correct term, although not as impressive, is > probably "self-signed cert." Since the intention is to label the terminal certs in a cert chain maintained by the CA, a "root cert" could be a CA cert signed by a third party. That's the end of the chain as far as the database is concerned. You're unlikely to get such a cert from Verisign, but you might get a restricted one from a parent organization. In this case, the test for root certs would become something like X509_verify(cert, X509_get_pubkey(parentcert)) where the 'parentcert' is the foreign signing key. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
