Hi Steve,
Thanks for your quick response. It makes a lot sense to me now.
I have tow follow up questions, though.
1) I guess the way to include all intermediate certs in signature is like
this
openssl smime -sign -signer signer.pem -certfile ca2.pem -in test.txt -out
test.signed
I tried to avoid using -certfile option, instead I included all intermediate
CA certs in signer.pem, but it didn't seem to work. Is -certfile the only
way to include the intermediate certs?
2) When I get a signature with certificate included, what should I expect?
Can I assume the whole certificate chain except the top root certificate
would be included in the signature? This would affect the verification
side's configuration. When I use chain trust mode to verify a signature with
cert included, should I use the top root only, or should I always put the
whole chain within -CAfile ?
Thanks again for your help.
Kate
-----Original Message-----
From: Dr S N Henson
To: [EMAIL PROTECTED]
Sent: 7/29/01 8:21 PM
Subject: Re: OpenSSL SMIME Signature Verification Chain Trust vs. Direct
Trust
Kate Wang wrote:
>
> Hi, all,
>
> It seems to me that for SMIME siganture verification, ALL CA
certificates
> (including root and intermediate CAs) have to be included in the CA
file
> specified in -CAfile option. I don't really understand why this should
be
> enforced. In earlier version of OpenSSL there is an option -NOCHAIN
for
> verification, but it seems to me that it has been removed in OpenSSL
0.9.6a.
> Does anybody know the reason?
>
Only the root CA and any intermediate CAs missing in the message need to
be included.
> If the intermediate CA certificates is included in the signature, why
do I
> have to put intermediate CA certs in the CA files again? Do I have a
work
> arround for this?
>
> During the signature verification process, I also want to check the
signer
> cert included in the signature matches a cert installed in my system.
Does
> anyone know what is the best way to do this? If I specify -nointern
and
> -certfile like following the proper way to do this?
>
> openssl smime -verify -nointern -certfile usercert.pem -CAfile
cafile.pem
> -in signature
>
That should be OK. If you include -noverify as well you don't actually
need the CA certificate in this case because the -certfile certificates
are trusted.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]