Hello Jakob, Am 03.08.2012 um 09:52 schrieb Jakob Bohm:
>> My assumption of a chain of trust is that the end of a trust chain is >> reached (=a server or client certificate is seen as valid and secure) if the >> whole chain of certificates ends in an entifiy where subject=issuer and >> CA:true (and mathematically verification of the signed certificate is true). >> In the past, this was a perfectly explainable environment for all issues >> about certificate chains and trust. How is then trust handled (if the above >> mentioned method for linking trust via subject hash is used) for self-signed >> certificate in general? >> This rule is no longer entirely true. > > The new rule is to stop when reaching a cert in your local trusted > or banned list, self-signed or otherwise, and to not check if the > self-signature (if any) is valid. Thank you for your information update, this is a very useful information for me. May I ask if my understanding of your words are correct: if a self-signed certificate is being found in the certificate chain (which is normally the case instantly), the validation stops as seen in the technical tests with the given error? Is there a programmable way to allow single self-signed certificates (like using the trust mechanism) without "opening" security for *all* self-signed certificates (so the administrator of the system may import one special, but decline to use others)? Regards, Harald______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
