Re: verifying certificate

Gisela Acosta Thu, 16 Aug 2001 10:39:00 -0700


Ok, I wrote the functions to manage X509_PURPOSE_OBJ_SIGN, checking if the
purpose is
NS_OBJSIGN or NS_OBJSIGN_CA for CA certificates.
It seems that the problem is solved. Thank you.
Gisela



----------------------------------
Gisela Acosta
Gerencia de Desarrollo de Sistemas
Red Link S.A.
Tel: (5411)4317-1400 INT 1516
http://www.redlink.com.ar
----------------------------------







Dr S N Henson <[EMAIL PROTECTED]> on 16/08/2001 13:43:08

Please respond to [EMAIL PROTECTED]
                                                                                
                                                                                
                                                                                


                                                              
                                                              
                                                              
 To:      [EMAIL PROTECTED]                           
                                                              
 cc:      (bcc: Gisela Acosta/Red Link S.A.)                  
                                                              
                                                              
                                                              
 Subject: Re: verifying certificate                           
                                                              










Gisela Acosta wrote:
>
> Hi,
> Thanks for your answer.
> Your are right. The certificate that I've used isn't certified for email. It's
> Verisign Netscape Object Signing* Digital ID.
> I need to verify a signed file, not an email.
> Should I use X509_PURPOSE_SMIME_SIGN or another one?
> What is the puropose to check the purpose? What could the problem be if I'd
use
> X509_PURPOSE_ANY?
>

Purpose checking is a critical aspect of certificate security. It
determines if CAs are valid and if a certificate is being used for an
authorised purpose.

Without it anyone could use their user certificate as a CA or one of
those "no checking freeware email" for something like object signing.

X509_PURPOSE_ANY actually does disable purpose checking and is a big
security whole unless used with extreme caution: it's there because
there are some highly broken CAs about which it is unfortunately
occasionally necessary to tolerate.

By default the verification routines for S/MIME will assume the
certificate should be certified for S/MIME.

Unfortunately there isn't an object signing purpose in OpenSSL at
present: so you'd have to write a customised one.

Steve.
--
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Re: verifying certificate

Reply via email to
