On Fri, Jan 15, 2010, Kyle Hamilton wrote: > My understanding is that OpenSSL doesn't really use the "trusted > certificate" system, which contains the information about what a > certificate is trusted for. Further, the bits available for the > Windows store don't have an isomorphic mapping within the trust > parameters that OpenSSL provides. > > Is there a spec on OpenSSL's "trusted certificate" architecture? Is > there any guidance available on best practices to map from one to the > other, or is that such a complex subject that it needs a full > treatise? >
It is currently relatively simple. There is some documentaion in the x509 utility. Effectively a root CA can be restricted to certain usages only. For compatibility with existing code if no settings are included use in unrestricted. One exception is trusted OCSP global roots which need an explicit trust value. I think there is a way to retrieve the Windows store trust settings. This whold map neatly to the OpenSSL system. Including the certificate alias would also be a useful thing to do. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org