This may be the wrong place to ask this since it is not OpenSSl specific, but would cross signing of a x.509 cert to verify it's contents be a good measure to increase the trustworthiness of a cert. Take the following example...
We have a CA which hands out certs with authorization type attributes (the purpose extension comes to mind). Whoever has root access to that CA could create a sub CA, or an arbitrary cert. What if the CA where to send the presigned cert to another trusted box who could then verify the contents and sign the cert in a noncritical extension. The main CA could then sign the cert in the standard way. Then applications that were paranoid about authorization could check the permission by using the public key of the checker CA. Would this work? If so, wouldn't this make it more difficult for any one person to do unauthorized things with certs by enforcing a check and balance type system? Thanks, Andrew ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
