On Thu, Jun 03, 2010 at 09:36:56AM -0400, jeff wrote:
> I have an example, detailed below, that specifies permitted and excluded
> subtrees for a sub-CA. Later it uses the sub-CA cert to sign certificate
> requests adhering to and violating the name constraints both, even
> though the nameConstraints are marked as critical.
I would expect such constraints to only apply when certificates are
being *verified*. There seems to be little point in preventing a CA
from attempting to sign violating certificates.
Generally, OpenSSL does not verify peer names, only the certificate
trust chain, and peername checks are left up to applications. Does
OpenSSL trust chain validation include any checks on name constraints?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
