On Fri, Dec 19, 2014 at 03:05:32PM +0000, Viktor Dukhovni wrote: > On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote: > > > Does OpenSSL have documented someplace exactly what it means to have a > > "TRUSTED CERTIFICATE"? > > It is a certificate + auxiliary data which specifies a friendly name > plus a set of EKUs.
Mozilla provides a list of root certificates and that includes at least the trust settings for that certificate. In Debian we then extract the certificates from that so that it can be used by applications that need to have a list of trusted CAs. However those trust settings are removed because not everything that wants to use those certificates understands the trusted certificate. It would be useful to have a standardised format. Kurt _______________________________________________ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
