---------- Forwarded message ---------- From: Martin Haufschild <martin.haufsch...@uni-rostock.de> Date: 23 May 2014 07:34 Subject: Using Frankencerts for Automated Adversarial,Testing of Certificate Validation,in SSL/TLS Implementations
Hello, FYI https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf There seem to be two discrepancies with OpenSSL on page 11. Regards Martin ---------- This is a pretty nice paper, well worth a read, IMO. Anyway, the two discrepancies: not clear to me that accepting basic constraints in V1 certs is a bug. In any case it can only (I think) tighten the constraints on the chain, so doesn't seem harmful. Rejecting a leaf CA below an intermediate with zero path length may be strictly incorrect, but ... what does it mean? Would you ever see such a thing? When? In any case, for the second issue at least, patches welcome. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org