Thomas Reinke wrote:
>
> Thanks for the reply. For the most part, I think I understand what
> you're saying, except that I have one gap in my knowledge.
>
> If I can bother you to complete one more little gap in my
> ignorance:
>
> In chain verification, (ala Netscape), wouldn't the browser still
> need to be able to get its hands on the other certificates in
> the chain to complete the path up to the root, trusted, certificate?
> That's my problem - I can visit sites signed by Equifax and Entrust
> CA certs, but without having these certs in my browser.
>
> That means I am getting something wrong - the certs either
> a) must be in my browser (so where are they hiding? - not cert7.db!) OR
> b) there must be another way of verifying the chain
The server sends the chain.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
