Am 08.05.14 16:15, schrieb Dr. Stephen Henson:
Well technically AKID should only be used as a hint (various PKIX list discissions have confirmed this). In that sense OpenSSL is already too strict: if AKID completely mismatches it will decide that the candidate certificate cannot be an issuer.
I don't understand the usefulness of the AKID then. If it's only a hint and can't even be used to exclude certain certificates as issuers, what is it good for?
Assuming that the behavior of X509_check_akid() is correct, maybe the usage of it in crl_akid_check() in x509_vfy.c is not correct then because it relies on the answer of X509_check_akid()? As the AKID is only a hint, shouldn't crl_akid_check() verify by other means that the candidate is actually the issuer?
-- Stephan ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
