[EMAIL PROTECTED] wrote:
>
> Rich is right. A recursive trial-and-error is the way to go. It should be
> combined with extension checking.
>
> It´s sad that Openssl discards keyusage restrictions and other extensions, as
> they are definitely not there for being discarded.
>
[description of ex
for being a CA).
-Ursprüngliche Nachricht-
Von: MIME:[EMAIL PROTECTED]
Gesendet am: Donnerstag, 2. September 1999 19:36
An: -:[EMAIL PROTECTED]; Olaf Schlueter
Betreff: RE: Cert verification problems.
>OpenSSL can't do this automatically at present because it ignores
>cert
However when a CA rekeys you'd expect some indicator of the new key
used, not just: "try everything you've got and see what happens".
You're more optimistic than I.
__
OpenSSL Project http://www.op
Salz, Rich wrote:
>
> > A bit odd but it makes sense I suppose: I wouldn't like to
> >guess as to which software will handle this properly though.
>
> Yes, that is exactly what is going on.
> It is *VERY* odd -- I'd argue it's broken.
>
I'd argue its broken too. At the very least I'd expect so
>It seems to be that this behaviour is implied by the extensions: that is
>both certificates have the same subject and issuer names and they match
>each other: crl-sign however doesn't have permission to sign
>certificates but cert-sign does. Presumably this is intended to mean
>that you use the p
Rich Salz wrote:
>
> Sorry, you're right. The cert-sign is okay, but the crl-sign cert
> which is signed by cert-sign fails to verify the sig. We'd normally
> suspect the CA that generated the certs, but (1) it verifies when we
> use our hardware crypto; (2) it's not our CA. :)
>
> So, we do be
Rich Salz wrote:
>
> Sorry, you're right. The cert-sign is okay, but the crl-sign cert
> which is signed by cert-sign fails to verify the sig. We'd normally
> suspect the CA that generated the certs, but (1) it verifies when we
> use our hardware crypto; (2) it's not our CA. :)
>
> So, we do be
Sorry, you're right. The cert-sign is okay, but the crl-sign cert
which is signed by cert-sign fails to verify the sig. We'd normally
suspect the CA that generated the certs, but (1) it verifies when we
use our hardware crypto; (2) it's not our CA. :)
So, we do believe there's a bug in openssl.
Salz, Rich wrote:
>
> The following certs were generated using a popular commercial CA.
>
> The cert-sign cert verifies okay; the cert-sign cert does NOT verify
Err would you like to try that again but without the contradiction this
time? :-)
> the crl-sign cert -- OpenSSL verify command claim
The following certs were generated using a popular commercial CA.
The cert-sign cert verifies okay; the cert-sign cert does NOT verify
the crl-sign cert -- OpenSSL verify command claims the padding is wrong.
Any clues? Any die-hard DER bit-twiddlers have any advice?
Thanks, much, in advance.
10 matches
Mail list logo
