Re: Authentication

Peter Sylvester Thu, 01 Dec 2005 10:30:09 -0800

Mark wrote:

Hi Bear,

As I said, just remember to use some intelligence.  Verify the
issuer, be prepared for the case where a clueless CA issues the
same serial number (which is definitely an error, but how will you
handle it?), etc.


Are there any additional steps necessary to verifying the issuer
apart from the normal peer authentication and a string compare of
the issuer name?


I guess I'll use the subject hash value as an additional check
to the serial number.

Didn't you say that you have only ONE CA? This means you have onluy ONE issuer, and
since this is the only cert that you put into the verifyfile, only client certificates signed by
this CA can be used. Thus, you only have serialnumber to handle in your authorisation tool.
Unless you want to handle certificate renewal trasnparently. The you take the name
of the subject, i.e. a string represation of the Subject's DN.

I think this thread is getting into a book about how to program with openssl.

Cheers, Mark
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

-- 
To verify the signature, see http://edelpki.edelweb.fr/ 
Cela vous permet de charger le certificat de l'autorité; 
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.

smime.p7s
Description: S/MIME Cryptographic Signature

Re: Authentication

Reply via email to