Thomas Reinke wrote:
>
> More specifically, what is chain verification, if it is not the same
> thing that OpenSSL does when running verify?
>
Ah now thats a long story.
OpenSSLs certificate verification code is largely unchanged from SSLeay
days. When you verify a certificate chain using OpenSSL you generally
have one untrusted certificate (the end user or "leaf" certificate) and
all other certificates trusted.
Browsers do chain verification which means that they can verify a whole
chain of unstrusted certificates if one in the chain (usually the root)
is trusted.
Currently in OpenSSL you need to keep track of the subordinate CAs and
trust them too.
In a proper chain verification system you'd just need to trust the root
CAs and subordinates would be checked automatically.
You can do chain verification in this way but no extension checking is
done on the untrusted certificates. So you could use an end user
certificate as a CA and mess up authentication schemes. For this reason
the chain code is not normally used.
Yes its being worked on...
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
