On 2/25/2011 5:03 PM, John R Pierce wrote:
the root certificate in question is not in either Google Chrome's list
of CAs, or in Mozilla Firefox's list.
"AC-SSL da ICPEDU" is the Root CA, issuing a certificate to www.icp.edu.br
The Root Certificate appears to be one locally generated...
CN=AC-SSL da ICPEDU
S=Distrito Federal
C=BR
E=go...@icp.edu.br
O=ICPEDU
O=RNP
L=Brasilia
with an issuer statement...
Os certificados da ICPEDU sao para uso exclusivo por instituicoes
brasileiras de ensino e pesquisa, e nao tem eficacia probante.
which iGoogle roughly translates as...
Certificates of ICPEDU are for exclusive use by institutions of
higher education and research, and has no probative efficacy.
So basically, this is pretty close to self-signed.
So it's working as designed. He's decided that encryption that can't be
broken passively is better than nothing. It's not clear to me that this
is a mistake on his part. Perhaps if he didn't realize the implications
of his decision, it might be an error. But not knowing his requirements,
I don't see how we can say that.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
