On Fri, Jun 19, 2009 at 10:07 AM, Dr. Stephen Henson<st...@openssl.org> wrote: > > This needs one of those box diagrams ;-) > > The simplest cases have policys as the intersection of the sets of all > policies. With the trust anchor policies being ignored. > > Say you have root->CA1(OID1, OID2) > > [i.e. CA1 has certificatePolicies and OID1, OID2 present] > > Nothing signed by CA1 can have anything other than OID1 or OID2 (or anyPolicy > but I'm keeping it simple here). > > If you have CA1(OID1,OID2)->CA2(OID1) > > nothing below CA2 can have anything other than OID1. > > Similarly CA1(OID1,OID2)->CA3(OID2) > > Note that policy procesing has to be specifically enabled with the appropriate > verification arguments, it isn't by default. Yes "openssl verify" is usable > for testing. > > Steve.
Isn't this very much akin to the proxy certificate verification process? -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
