* Johannes Bauer wrote on Fri, Jan 13, 2012 at 14:22 +0100: [...] > >>> Or, in other words: Let's assume I have a ultimate root > >>> (self-signed) "Root" and a branched CA "X". I would like to > >>> trust "X" and all it's children, but not "Root". Is this > >>> not possible? [yes, it is not possible "by default"]
> Thank you for your clarification. I also do not really see the > point why the anchor of trust has to be self-signed. I also wondered about this time ago. I think when a user explicitely puts a sub-CA or even a non-CA certificate into the database of trusted certificates, chain verification could stop there without knowing the root-CA. Only point to require root-CA is to check if it still is valid and require it in order to be able to check it's CRL for the sub-CA being included. Personally, I still wonder why I should be stopped from trusting a sub-CA even if the root-CA revoked it when I explicitely configure it to do so, but anyway usually OS or browser vendors seem to decide for the users whom to trust ;-) > In my scenario this restriction actually makes the whole system > less secure (since it allows a superset of certificates to be > valid instead of just a tiny subset). Certify the identity to be authentic, that means that the name given in the certificate is authentic. This is like an ID card or passport. >From this it cannot be concluded whether the authentic name owner is authorized for communication (or whatever). For this, some list of allowed names is needed. This is like a guest list. Unfortunately it seems to happen from time to time to meet some projects/installations that check only whether a peer is authentic but not it authorized (like: anyone with a valid password can use the VIP entry, because no guest list check is performed). For example, in a typical webbrowser I think you cannot configure NOT to communicate with authentic badguy.malware.com; if TLS makes it absolutely sure that you really communicate with `badguy', you will get a green security symbol :-) oki, Steffen -- End of message. My personal opinion only etc. About Ingenico: Ingenico is a leading provider of payment, transaction and business solutions, with over 15 million terminals deployed in more than 125 countries. Over 3,000 employees worldwide support merchants, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue. http://www.ingenico.com/. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org