On Fri, Dec 19, 2014 at 07:02:29AM -0800, Sean Leonard wrote: > There is also a "TRUSTED CERTIFICATE" label that OpenSSL uses...I believe > this is a vendor-specific extension but now that I am spelunking through the > source code I see that it could be abused. Relevant source code/comments > say: > https://www.openssl.org/docs/apps/x509.html
What is this "abuse" you speak of. No remote actor injects "trusted certificates" into the verifier's list of trust anchors. Trusted certificates are actually "less trusted" certificates, in that their set of EKUs is potentially constrained. -- Viktor. _______________________________________________ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev