However when a CA rekeys you'd expect some indicator of the new key
used, not just: "try everything you've got and see what happens".
You're more optimistic than I.
__
OpenSSL Project http://www.op
Salz, Rich wrote:
>
> > A bit odd but it makes sense I suppose: I wouldn't like to
> >guess as to which software will handle this properly though.
>
> Yes, that is exactly what is going on.
> It is *VERY* odd -- I'd argue it's broken.
>
I'd argue its broken too. At the very least I'd expect so
>It seems to be that this behaviour is implied by the extensions: that is
>both certificates have the same subject and issuer names and they match
>each other: crl-sign however doesn't have permission to sign
>certificates but cert-sign does. Presumably this is intended to mean
>that you use the p
Rich Salz wrote:
>
> Sorry, you're right. The cert-sign is okay, but the crl-sign cert
> which is signed by cert-sign fails to verify the sig. We'd normally
> suspect the CA that generated the certs, but (1) it verifies when we
> use our hardware crypto; (2) it's not our CA. :)
>
> So, we do be
Rich Salz wrote:
>
> Sorry, you're right. The cert-sign is okay, but the crl-sign cert
> which is signed by cert-sign fails to verify the sig. We'd normally
> suspect the CA that generated the certs, but (1) it verifies when we
> use our hardware crypto; (2) it's not our CA. :)
>
> So, we do be
Sorry, you're right. The cert-sign is okay, but the crl-sign cert
which is signed by cert-sign fails to verify the sig. We'd normally
suspect the CA that generated the certs, but (1) it verifies when we
use our hardware crypto; (2) it's not our CA. :)
So, we do believe there's a bug in openssl.
Salz, Rich wrote:
>
> The following certs were generated using a popular commercial CA.
>
> The cert-sign cert verifies okay; the cert-sign cert does NOT verify
Err would you like to try that again but without the contradiction this
time? :-)
> the crl-sign cert -- OpenSSL verify command claim
