Thanks for the reply. For the most part, I think I understand what
you're saying, except that I have one gap in my knowledge.
If I can bother you to complete one more little gap in my
ignorance:
In chain verification, (ala Netscape), wouldn't the browser still
need to be able to get its hands on the other certificates in
the chain to complete the path up to the root, trusted, certificate?
That's my problem - I can visit sites signed by Equifax and Entrust
CA certs, but without having these certs in my browser.
That means I am getting something wrong - the certs either
a) must be in my browser (so where are they hiding? - not cert7.db!) OR
b) there must be another way of verifying the chain
Thomas
Dr Stephen Henson wrote:
>
> Browsers do chain verification which means that they can verify a whole
> chain of unstrusted certificates if one in the chain (usually the root)
> is trusted.
>
> Currently in OpenSSL you need to keep track of the subordinate CAs and
> trust them too.
>
> In a proper chain verification system you'd just need to trust the root
> CAs and subordinates would be checked automatically.
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
