On 23/03/10 3:09 PM, Konrads Smelkovs wrote: > What are the risk moments here? Why this clause was put in?
Probably due to the complexity of handling the trust path correctly - most clients can't do even the most simple checks required by RFC5280/3280 - expecting to have the client know somehow that a CA an arbitrary number of hops along the trust chain (think cross-certification instead of hierarchical PKI) is authoritative for certificates issued by a given CA without some form of explicit delegation (think the CRLIssuers field to CRLDP) is probably not the best way to build a trust mechanism. You can STILL do what you by using client side "Hey, I, as a Relying party, trust that this OCSP responder knows about the certificates coming from this particular CA, even though it isn't the same CA that signed this cert." manual configuration. That's what the config option that Steve gave you is for. Have fun. Patrick. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
