> > This doesn't help you when presented a naked cert by a stranger[...] > > Any parseable certificate presented by a strager is good enough to > use that public key to send email encrypted to *his* private key. > At least if there's no chance for man-in-the-middle. Not if the cert denies such use... and at most all it gives you is a secure channel back to the person who sent you a possibly fradulent cert. If you aren't willing to blindly trust their cert, why would you blindly trust a cert chain and root cert (or pointer to same) they send?
> Probably you are talking about verification that stranger is authorized > by some big guy to pay..it's completely different issue. Or authorized to use resources, access data, etc. At an extreme, it might only be used to log the identity of persons in open discussions. That might sound excessive, but the spammers and slanderers may force some forums to go to this extreme. Anyone who posts as [EMAIL PROTECTED] is exactly the type to create their own bogus certs. > One could care about CA certificates related to his business, either > well-known or private ones used to verify access to local resources. Of course, but what about a case where you've never heard of them before? Your server asks for a cert, they hand over the only one they have, and you're suddenly wondering how much weight to give it. (See comments above.) > > On a related note, is there documentation on how to set up a "well- > > behaved" certs and PKCS12 bags? I couldn't find anything the last > > time I checked, but maybe something has come out since then. > > Any problem with PKCS12 specifications published by RSA Labs? > What is "well-behaved" ? It's hard to describe "well-behaved" because I rarely use Windows clients, and on Unix I tend to use the locally generated stuff with installers. But I've noticed that instead of loading several items separately, on PCs you often get everything in one package. So the question isn't how to create these packages (I assume the library will hand that), but what to put into them. And as my earlier comment suggests, I'm not even sure if this is a PKCS7 or PKCS12 object - I've been working with X.509 certs (and requests) and PKCS8 keys exclusively. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]