[openssl-dev] [openssl.org #1210] Bug: CRL and Certificates
Re-thinking about this a bit more, OpenSSL doesn't do any key-usage verification of things when it does signatures. So I am closing this ticket. As a work-around, verifying the signature and usage of the signed data maybe? (If someone wants to do a PR to fix this, great.) -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl.org #1210] Bug: CRL and Certificates
On 06/30/2014 05:14 PM, Rich Salz via RT wrote: > It's not immediately obvious, but enforcement of the keyUsage and other > attributes is something the relying party has to do. Anything else means just > trusting the signer, and that is not secure; how do you konw the signer is not > cheating? I agree with Rich that the primary requirement is on the relying party. But OpenSSL's user-facing tools for operating a CA can also be made to be more user-friendly, to avoid creating a CRL (or other data structure) by default that reasonable relying parties will automatically reject. The ability to override this default restriction would be nice too (for those signers who actually *want* to "cheat", or for the creation of test suite material, etc, though that could be done with modified source code for the folks who have these special needs. I think #1210 should be reopened. --dkg signature.asc Description: PGP signature
[openssl.org #1210] Bug: CRL and Certificates
It's not immediately obvious, but enforcement of the keyUsage and other attributes is something the relying party has to do. Anything else means just trusting the signer, and that is not secure; how do you konw the signer is not cheating? __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #1210] Bug: CRL and Certificates
Hi I found a bug in CRL Lists. It is possible to do signing of the List with a certificate, which shouldn't do it because of the Key Usage extension. If this extension is set critical and CRLSign is not listed, you shouldn't do the signing. Specification says, that you should do anything with a certificate, if you don't understand the critical sections. So it would be better to do nothing instead. Sincerely Maria Siebert __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
