On Fri, Jun 19, 2009, Peter Sylvester wrote: > Hello, > > some recent changes in openssl (1.0.0) done by Stephen Henson > are about an addition to have policy checking in path validation. > > I am trying to find out how to configure a small hierarchy with > one root and one operational CA, i.e. one that issues certs to > end entities, in the following way: > > The operational CA (by itself as a standalone CA) has two policies > i.e. it may create end entities with a OID 1 and others with OID 2 > as a certificatePolicy. > > The root CA is a trust anchor for some application, let's say > a web server or some email signature validator. > > The root CA wants to issue a certificate that limits > a valid path only for those end entity certs with, let's say > OID 1, and for the others the path would not be valid. > > I think that 'openssl verify' in 1.0.0-beta2 should be usable > as is for testing. >
This needs one of those box diagrams ;-) The simplest cases have policys as the intersection of the sets of all policies. With the trust anchor policies being ignored. Say you have root->CA1(OID1, OID2) [i.e. CA1 has certificatePolicies and OID1, OID2 present] Nothing signed by CA1 can have anything other than OID1 or OID2 (or anyPolicy but I'm keeping it simple here). If you have CA1(OID1,OID2)->CA2(OID1) nothing below CA2 can have anything other than OID1. Similarly CA1(OID1,OID2)->CA3(OID2) Note that policy procesing has to be specifically enabled with the appropriate verification arguments, it isn't by default. Yes "openssl verify" is usable for testing. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
