Hello,
this is not really an openssl question but a general concern.
I'm developing software for an public/private key driven environement
(X.509).
There are tools to create and manage public/private keys and so on.
So, my sponsor asked my for the possibility to renew expired keys.
My first thinging was: take the given certificate, clone it, create a
new public/private key,
set the validity and finish by signing with an issuer or creating a
self-signed signature.
(of course modifiing subject key identifier and so on). Easy solution.
Then i started playing. Now you can feed a private certificate and you
get an identical
certificate back with only the validity changed.
I created a dummy ca, created dummy certificates signed by that dummy CA.
Then i renewed the CA with the option to keep public/private key.
So i'm still be able to verify the signature of the dummy certificates
with the renewed dummy CA.
I understand that only the public key is what matters here but it feels
somehow obscure, not to say unethical...
Is this a point of weakness? How do you feel about it? Let's discuss.
Cheers,
Sascha
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
