On 10/22/2011 4:52 AM, Lucas Clemente Vella wrote:
2011/10/21 Jakob Bohm<jb-open...@wisemo.com>:
According to the Digicert CPS
<http://www.digicert.com/docs/cps/DigiCert_EV-CPS.pdf>,
that DigiCert root is cross-certified by the Entrust root. Some trusted
certificate bundles include only the Entrust root CA and will need the
Entrust-signed "cross" intermediary certificate to validate, other trusted
certificate bundles include the Digicert self-signed root for this key
directly.
It is expected from the standards and the behavior of other X.509 libraries
that
upon seeing the "keyid" of a known root, the library should stop following
the
chain and ignore any extra certificate provided by the entity being
verified.
So, the behavior I get with OpenSSL when using the Digicert root is
non-conformant with X.509? The peer's certificate should have been
verified when I provided the Digicert root?
Just my unqualified opinion though.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
