Yes, you can't use an end user certificate as a CA (well there was this
one broken one you could...) with most software because it isn't marked
as being a valid CA. Either by having the CA flag set to FALSE in
basicConstraints or implicitly because basicConstraints is absent and
probably not having the right keyUsage bits set either.
What about if a recognized CA (such as Thawte) tries to issue GSID's?
Are there special bits in the Verisign root that's shipped with the
browser? Or only in the intermediate CA cert that signs the actual
GSID? I guess the former is the only thing that makes sense (otherwise,
Thawte could issue an intermediate cert similar to Verisign's, and
sign GSID's with it from South Africa, conveniently outside US jurisdiction);
but if the built-in root needs special bits, then why does Verisign
bother with the intermediate cert?
I believe Verisign has certified some US banks to issue their
own global server IDs by siging a CA certificate with their
global server root, and with suitable path length protection.
Do you have any idea which banks these might be? Is there a way
to find out?
Thanks.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
