Mark Reynolds via RT wrote: > This is a bug report for OpenSSL version 0.9.8e. The top level summary is > that > misconfigured certificates with a bogus Issuer field are processed as if the > field > was valid. > > The Issuer should have an attribute of commonName (OID 2.5.4.3) and a value > of some kind of string (e.g. T61String). If instead it has a bogus > attribute, such > as the obsolete OID 2.5.4.2, the command openssl x509 -in badcert.pem -inform > PEM -noout -text > should report that the certificate has no issuer. Instead it reports an > issuer > containing the literal string "2.5.4.2" followed by the string value of this > OID. > This seems like a clear violation of RFC3280 to me.
I don't see how not having a commonName is a violation of RFC 3280. I would really like to agree with you, but I know there are roots in the wild that don't have a CN field. I may have missed some text in the RFC - could you reference a specific section? I agree it's 'best practice' but I think some CA's don't follow that practice... ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
