* Johannes Bauer wrote on Fri, Jan 13, 2012 at 14:22 +0100:
[...]
Or, in other words: Let's assume I have a ultimate root
(self-signed) Root and a branched CA X. I would like to
trust X and all it's children, but not Root. Is this
not possible?
[yes, it is not possible by default]
Thank you for your clarification. I also do not really see the
point why the anchor of trust has to be self-signed.
I also wondered about this time ago. I think when a user
explicitely puts a sub-CA or even a non-CA certificate into the
database of trusted certificates, chain verification could stop
there without knowing the root-CA.
Only point to require root-CA is to check if it still is valid
and require it in order to be able to check it's CRL for the
sub-CA being included.
Personally, I still wonder why I should be stopped from trusting
a sub-CA even if the root-CA revoked it when I explicitely
configure it to do so, but anyway usually OS or browser vendors
seem to decide for the users whom to trust ;-)
In my scenario this restriction actually makes the whole system
less secure (since it allows a superset of certificates to be
valid instead of just a tiny subset).
Certify the identity to be authentic, that means that the name
given in the certificate is authentic. This is like an ID card or
passport.
From this it cannot be concluded whether the authentic name owner
is authorized for communication (or whatever). For this, some
list of allowed names is needed. This is like a guest list.
Unfortunately it seems to happen from time to time to meet some
projects/installations that check only whether a peer is
authentic but not it authorized (like: anyone with a valid
password can use the VIP entry, because no guest list check is
performed).
For example, in a typical webbrowser I think you cannot configure
NOT to communicate with authentic badguy.malware.com; if TLS
makes it absolutely sure that you really communicate with
`badguy', you will get a green security symbol :-)
oki,
Steffen
--
End of message. My personal opinion only etc.
About Ingenico: Ingenico is a leading provider of payment, transaction and
business solutions, with over 15 million terminals deployed in more than 125
countries. Over 3,000 employees worldwide support merchants, banks and service
providers to optimize and secure their electronic payments solutions, develop
their offer of services and increase their point of sales revenue.
http://www.ingenico.com/.
This message may contain confidential and/or privileged information. If you
are not the addressee or authorized to receive this for the addressee, you must
not use, copy, disclose or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you for
your cooperation.
P Please consider the environment before printing this e-mail
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
