On Fri, Dec 19, 2014 at 07:02:29AM -0800, Sean Leonard wrote:

> There is also a "TRUSTED CERTIFICATE" label that OpenSSL uses...I believe
> this is a vendor-specific extension but now that I am spelunking through the
> source code I see that it could be abused. Relevant source code/comments
> say:
> https://www.openssl.org/docs/apps/x509.html

What is this "abuse" you speak of.  No remote actor injects "trusted
certificates" into the verifier's list of trust anchors.  Trusted
certificates are actually "less trusted" certificates, in that
their set of EKUs is potentially constrained.

-- 
        Viktor.
_______________________________________________
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev

Reply via email to