On Fri, Mar 17, 2006, michael Dorrian wrote: > 1. Can a CA signed by the root CA act as a trusted CA itself?.
Provided the root CA permits this... > 2. How does the certificate chain stop another client who has a > certificate signed by the same root authority as you acting as a trusted > CA. I know the ip addresses will be different but maybe there is a way > around that too. > Certificates contain extensions. One extension called basicConstraints indicates (among other things) whether the certficate is a valid CA. An end entity (for example server certificates) cannot be used as a CA because this extension forbids it and any software validating the chain will reject it. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
