2011/10/21 Jakob Bohm <jb-open...@wisemo.com>: > According to the Digicert CPS > <http://www.digicert.com/docs/cps/DigiCert_EV-CPS.pdf>, > that DigiCert root is cross-certified by the Entrust root. Some trusted > certificate bundles include only the Entrust root CA and will need the > Entrust-signed "cross" intermediary certificate to validate, other trusted > certificate bundles include the Digicert self-signed root for this key > directly. > > It is expected from the standards and the behavior of other X.509 libraries > that > upon seeing the "keyid" of a known root, the library should stop following > the > chain and ignore any extra certificate provided by the entity being > verified.
So, the behavior I get with OpenSSL when using the Digicert root is non-conformant with X.509? The peer's certificate should have been verified when I provided the Digicert root? -- Lucas Clemente Vella lve...@gmail.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org