On Tue, Jul 05, 2005, Martin Kraemer wrote: > > Since then CA checks have been made mandatory in the code even if "Any > > Purpose" is set. So if you actually tried to use that certificate as a CA it > > would be rejected. > > If that is so, then how can the following happen (with a recent > openssl-dev): > [example of ca utility]
The 'ca' utility doesn't currently check the validity of the CA certificate it is signing with. So it will happily sign with an invalid CA but the verification routines will reject it. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]