Hi Steve,

Thanks for your quick response. It makes a lot sense to me now.

I have tow follow up questions, though.

1) I guess the way to include all intermediate certs in signature is like
this

openssl smime -sign -signer signer.pem -certfile ca2.pem -in test.txt -out
test.signed

I tried to avoid using -certfile option, instead I included all intermediate
CA certs in signer.pem, but it didn't seem to work. Is -certfile the only
way to include the intermediate certs?

2) When I get a signature with certificate included, what should I expect?
Can I assume the whole certificate chain except the top root certificate
would be included in the signature? This would affect the verification
side's configuration. When I use chain trust mode to verify a signature with
cert included, should I use the top root only, or should I always put the
whole chain within -CAfile ?

Thanks again for your help.

Kate

-----Original Message-----
From: Dr S N Henson
To: [EMAIL PROTECTED]
Sent: 7/29/01 8:21 PM
Subject: Re: OpenSSL SMIME Signature Verification Chain Trust vs. Direct
Trust



Kate Wang wrote:
> 
> Hi, all,
> 
> It seems to me that for SMIME siganture verification, ALL CA
certificates
> (including root and intermediate CAs) have to be included in the CA
file
> specified in -CAfile option. I don't really understand why this should
be
> enforced. In earlier version of OpenSSL there is an option -NOCHAIN
for
> verification, but it seems to me that it has been removed in OpenSSL
0.9.6a.
> Does anybody know the reason?
> 

Only the root CA and any intermediate CAs missing in the message need to
be included.

> If the intermediate CA certificates is included in the signature, why
do I
> have to put intermediate CA certs in the CA files again? Do I have a
work
> arround for this?
> 
> During the signature verification process, I also want to check the
signer
> cert included in the signature matches a cert installed in my system.
Does
> anyone know what is the best way to do this? If I specify -nointern
and
> -certfile like following the proper way to do this?
> 
> openssl smime -verify -nointern -certfile usercert.pem -CAfile
cafile.pem
> -in signature
> 

That should be OK. If you include -noverify as well you don't actually
need the CA certificate in this case because the -certfile certificates
are trusted. 

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to