On Thu, Mar 27, 2014 at 2:47 AM, Stefan H. Holek <ste...@epy.co.at> wrote: > No reason. Just for maximum compatibility. Every software can do SHA1. But > this comes up a lot and I might switch to sha256 the next time around.
It appears that even what most "legacy" web browsers and servers support sha256, given these lists: http://www.tbs-certificates.co.uk/FAQ/en/476.html http://www.tbs-certificates.co.uk/FAQ/en/477.html Are there other lists of other products that are modern (or still in active use), but lack sha256 compatibility? >> 2. I couldn't figure out what the [additional_oids] section of the >> Expert example's root-ca.conf file is for - either through research or >> going through the commit history. Could you elaborate on what that >> accomplishes? > > These define symbolic names for policy OIDs used in the certificatePolicies > extension. You could well use the raw numbers without mapping them to names. > Also note that policies are entirely optional and you are free to ignore them > if you don't have a use case. I assume that verifying that only correct/allowed OIDs are used in a cert chain happens whether or not they get used by the rest of the software, correct? Or is this configurable? > Thank you for your feedback, Thank you for working on this! - Zack ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
