Gisela Acosta wrote:
>
> Hi,
> Thanks for your answer.
> Your are right. The certificate that I've used isn't certified for email. It's
> Verisign Netscape Object Signing* Digital ID.
> I need to verify a signed file, not an email.
> Should I use X509_PURPOSE_SMIME_SIGN or another one?
> What is the puropose to check the purpose? What could the problem be if I'd use
> X509_PURPOSE_ANY?
>
Purpose checking is a critical aspect of certificate security. It
determines if CAs are valid and if a certificate is being used for an
authorised purpose.
Without it anyone could use their user certificate as a CA or one of
those "no checking freeware email" for something like object signing.
X509_PURPOSE_ANY actually does disable purpose checking and is a big
security whole unless used with extreme caution: it's there because
there are some highly broken CAs about which it is unfortunately
occasionally necessary to tolerate.
By default the verification routines for S/MIME will assume the
certificate should be certified for S/MIME.
Unfortunately there isn't an object signing purpose in OpenSSL at
present: so you'd have to write a customised one.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
