On Wed, Jun 07, 2006, Diarmuid Curtin wrote: > > Sorry to hi-jack this... Can I ask in what manner does it not support Bridge > PKI's? >
Well actually now I reread the message its path *validation* logic *may* support bridge PKIs. That is where effectively a single path is presented to OpenSSL and it is asked to validate it. I say *may* because not all the RFC3280 extensions are currently supported in the validation logic. Name constraints for example is not at present. Certificate Policies processing is supported but not policy mapping (which is optional in RFC3280 anyway). OpenSSLs path *discovery* currently will only attempt to find single path to a trust anchor (which one depends on the order certificates are presented). If it fails to find it it gives an error: it wont attempt to find a different path. It is that behaviour which is likely to not support bridge PKIs. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
