On 06/03/2010 06:11 PM, Dr. Stephen Henson wrote:
On Thu, Jun 03, 2010, jeff wrote:
I have an example, detailed below, that specifies permitted and excluded
subtrees for a sub-CA. Later it uses the sub-CA cert to sign certificate
requests adhering to and violating the name constraints both, even
though the nameConstraints are marked as critical.
Is this OpenSSL misbehaving or did I miss something when creating the
sub-CA certificate or issuing the user certificate?
thanks/jeff
This would be much easier to test if you'd attached all the relevant
certificates and how you are testing them. IMO
I do not think that there is any code in openssl that
checks during creation whether a new certificate would violate
some naming constraints.
This is an issue for the registration authority
In principle, these are things to be verified by a relying party, and the
relying party's trust set containg maybe cross certs with
all kinds of restrictions cannot be knwn at that point.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
