I was referring to the -setalias, -addtrust, -addreject, -clrtrust, -clrreject, -trustout, etc.. If I get a cert from someone, and it doesn't have the necessary trust/extensions some app requires, I can simply add them. Which to me sounds like those trust settings and/or extensions can't really be trusted, and any app that does so is broken.
cj ----- Original Message ----- From: "Jason Haar" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, November 25, 2002 10:06 PM Subject: Re: Combine certificates into chain > On Mon, Nov 25, 2002 at 01:00:18PM -0500, Chris Jarshant wrote: > > Another asounding fact IMO is that most of the software > > written today looks for attributes (unsigned of course) > > like s/mime flags, NsCert garbage, and a host of other > > extensions that make certs usable for one use or another. > > Huh? Are you refering to the security hole in IE (and others) that allows > people to alter chained certs? That's a separate issue. > > As far as I'm aware, you *can't* just alter the characteristics of a cert to > your whim: you'd break the checksum which *breaks* the signing of that cert. > I'd be surprised if any product would be as broken as to allow that... > > -- > Cheers > > Jason Haar > Information Security Manager, Trimble Navigation Ltd. > Phone: +64 3 9635 377 Fax: +64 3 9635 417 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
