On 12/18/2014 04:42 AM, Kurt Roeckx wrote: > On Wed, Dec 17, 2014 at 08:34:52PM +0100, Erwann Abalea wrote: >> Le 17/12/2014 20:17, Viktor Dukhovni a écrit : >>> On Wed, Dec 17, 2014 at 10:56:34AM -0800, Sean Leonard wrote: >>> >>>> For reference for the group (in case you didn't take a look at the draft), >>>> the draft documents the following labels: >>>> >>>> CERTIFICATE >>>> ... >>> Perhaps also "TRUSTED CERTIFICATE"? >>> >>> crypto/pem/pem.h:#define PEM_STRING_X509_TRUSTED "TRUSTED >>> CERTIFICATE" >> >> It's specific to OpenSSL. > > And it would be useful if it wasn't.
It might be useful, but getting the semantics right of what "TRUSTED CERTIFICATE" actually means is a non-trivial task. I'm not convinced that OpenSSL's interpretation of it is particularly useful in many common contexts. Does OpenSSL have documented someplace exactly what it means to have a "TRUSTED CERTIFICATE"? For example, say we're talking about a certificate that i am willing to accept for the peer foo.example. If i mark it TRUSTED and it has another SubjectAltName of bar.example, will OpenSSL subsequently accept it for bar.example as well? --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev