Mark wrote: > Are there any additional steps necessary to verifying the issuer > apart from the normal peer authentication and a string compare of > the issuer name?
Just follow the certificate chain back to a trusted root. Anyone can forge a certificate chain, but they won't be able to get back to a trusted root. If you don't do this a malicious party could substitute his cert for a good one and/or prevent a legitimate user from providing her own good cert. Bear P.S., remember that the serial number is an arbitrarily long numbers/strings. Some CAs (Verisign?) appear to use cryptographic hashes as their serial numbers. Others use a modified timestamp (e.g., YYYYMMDDHHMMSSxxxxxx). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
