On Tue, Feb 05, 2013, Michael Ionescu wrote:

> On 07.07.2012 23:27, Dr. Stephen Henson wrote:
> > 
> > I added an option -force_pubkey to the OpenSSL 'x509' utility
> > to do this. It is only in HEAD at present.
> Hi Steve,
> that's excellent! If I am not mistaken, this is exactly what one would
> also need in order to use the pubkey in individually trusted
> S/MIME-Certs when the issuing CA is categorically untrusted. One could
> simply create a cert for local use in encryption/signature-validation
> from one's own trusty CA.

There are problems with that approach. In the case of PKCS#7 certificates are
identified by issuer name and serial number not public key. So a new CA
wouldn't be recognised as it would have a different name.

In the case of CMS you can identify the certificate by key identifier:
but you'd have to make sure the SKID extension of the new certificate
matched the old one.

> Are there any plans to include your patch in vanilla openssl anytime soon?

It can be backported to OpenSSL 1.0.2 easily enough. Due to the versioning
rules it can't appear in anything sooner.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to