-----BEGIN PGP SIGNED MESSAGE-----
Hi,
I have a question regarding cert path validation like it is done by the openssl suite.
I read 'man verify' and 'man s_server' but to me it is still unclear if the CA certificates of *intermediate* CAs must be either in the file specified by -CAfile or in in the directory (with symlink hash) specified by -CApath if openssl wants to successfully validate a presented end-entity certificate.
I know that the root certificates must be present at one or the other of these locations though. But how about the intermediates?
I assume the intermediate CA certs must be available if the end-entity does not send at least a long enough suffix of the certificate chain - long enough to connect to a CA cert installed in either -CAfile or -CApath with a complete cert chain prefix leading to an installed root.
[With the start of the cert chain prefix being the root cert and the end of the cert chain suffix being the end-entity cert.]
Right?
And a question about CRL checking during path validation: According to the unused error codes/messages regarding CRLs and revoked certificates in the openssl verify command on the fly CRL retrival and checking is not done yet. Is there work on the way or are there plans to get this stuff into the openssl suite?
Thanks for any insights on these,
Cheers
Reimer - -- Dipl. Inform. Reimer Karlsen (PKI Team), DFN-CERT Services GmbH https://www.dfn-cert.de PGP RSA/2048, 1A9E4B95, A6 9E 4F AF F6 C7 2C B8 DA 72 F4 5E B4 A4 F0 66 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux)
iQEVAwUBQZHibxKWILoankuVAQG3cwf/RAFQrzUvmla1Fex6gQ2eIVFQQ/2WlGg6 AXkammYJh2A31eY1uRdlPdt3Px4Pfo9mGyEeeTUV89zsS5wsCS3HEUc0A2slH2cX GNa7H3FLjM0rVLUMGHV+FFF4mB7wtJ5tTikKWpaxFKVJBnZBFXgiJahRrDxHRnNp GHDeZx4xCDmY0k73mlkT250V9h3m6RsbiLA4W9WAxOBZqBpfuD4FGWv+ufndFpjI zf6Cb7zJ8OIoNcQy3nnxT6jg4a3JSKSuE/0TL2RoUXk/QYzISDpJ43619X17yfeB dE7dI4VVpBV8ZXvy1JfZdXYzzzIcqi1Ldqk+lub9BL/h0SQQFe5JGQ== =O9ox -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
