"Richard Levitte via RT" <[EMAIL PROTECTED]> writes:

> I'm honestly very unsure about this one.  After all, "openssl ca" 
> already covers this, so I wonder why there's a need to create another 
> way to do the same thing, and add to the confusion on how to do things..
> .

How would you use "openssl ca" to do the same?  Wouldn't it change
fields in signed certificate, or at least require that the CA key used
to sign correspond to the issuer in the certificate to be signed?  As
far as I understood, the RT thread only indicate "openssl ca" has the
same poor security as -noselfsign imply (in that it makes it possible
for the user to sign certificates without POP), not that "openssl ca"
can do the same operation.

That said, I'm not using OpenSSL today, so I don't have a real
interest in the patch.  If you believe it doesn't add value, I won't
pursue the matter further.

Thanks,
Simon

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to