On Tue, 16 Nov 2004, David Schwartz wrote:
> > > X509_verify_cert will construct the cert chain upto the ROOT CA and then > > validates the chain and finally verify the self-certificate. What I > > understand is that this function expects the ROOT CA to be > > self-signed and > > it MUST be present in the trusted list. > > Right. > > > 1. Is it MUST that the Root CA be self-signed. > > What else would sign the root CA? If something else signed it, it > wouldn't > be a root CA. > > > The reason is that the > > trust anchor up to which the application MAY verify need not be the ROOT > > CA. > > That is the definition of a root CA. It is the one that you trust. > I have thought about that also, especially as there are so many CAs and even root CAs in real world. In theory, if there are very few root CAs, they could cross-sign each other's certificates, i.e. Root CA A signs Root CA B's certificate and vice versa. This does perhaps not help much, only makes it a bit easier to trust, say B if you know that A also trusts B. (like banks trust each other or Dell trusts HP or vice versa :-) . Well, in the case of banks this might prove that you are dealing with the real bank and not a fake one unless both are fake). Would OpenSSL and other software support such cross signing or would they fail because the chain never ends? Jan > > Is there any standard that indicates that the chain MUST be verified > > up to the ROOT CA. Is there any way where I can tell the function to > > return success even if the chain is not complete(upto ROOT CA). > > You can replace the verify function with your own and declare a success > under whatever conditions you want. If you want a quick, ugly way to make > intermediate certificates act like root ones, just create your own temporary > root and self-signed certificate, add that self-signed certificate to your > list of trusted roots. Then, for any intermediate certificate you want to > trust, just generate your own certificate signed with your temporary root, > and add it to the list of certificates. > > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
