On Fri, Mar 17, 2006, Olaf Gellert wrote: > Dr. Stephen Henson wrote: > > On Fri, Mar 17, 2006, michael Dorrian wrote: > > > >> 1. Can a CA signed by the root CA act as a trusted CA itself?. > > > > Provided the root CA permits this... > > Actually I think: not. It seems to be impossible > to evaluate a certificate only up to a subCA, > openssl always requires the complete chain up to > the root CA. So I cannot tell openssl "this is a > trusted subordinate CA, that's enough." >
That's not actually what I meant. I meant that a valid subCA signed by a trusted root CA is itself trusted. There is a mechanism to restrict trust to explicit chains in S/MIME but not currently in SSL. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
