On Tue, Feb 05, 2013, Michael Ionescu wrote:

> On 07.07.2012 23:27, Dr. Stephen Henson wrote:
> > 
> > I added an option -force_pubkey to the OpenSSL 'x509' utility
> > to do this. It is only in HEAD at present.
> 
> 
> Hi Steve,
> 
> that's excellent! If I am not mistaken, this is exactly what one would
> also need in order to use the pubkey in individually trusted
> S/MIME-Certs when the issuing CA is categorically untrusted. One could
> simply create a cert for local use in encryption/signature-validation
> from one's own trusty CA.
> 

There are problems with that approach. In the case of PKCS#7 certificates are
identified by issuer name and serial number not public key. So a new CA
wouldn't be recognised as it would have a different name.

In the case of CMS you can identify the certificate by key identifier:
but you'd have to make sure the SKID extension of the new certificate
matched the old one.

> Are there any plans to include your patch in vanilla openssl anytime soon?
> 

It can be backported to OpenSSL 1.0.2 easily enough. Due to the versioning
rules it can't appear in anything sooner.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to