On Wed, Dec 31, 2008 at 05:17:00AM -0500, Jason wrote:
> > To be precise, not a root CA, but an intermediate CA, from an issuing
> > CA involved in multiple "unfortunate" practices.
> >
>
> I read this yesterday, and got to thinking about a firefox plugin to
> generate a warning. Is it sufficient to check that the cert isn't using
> MD5 as it's hashing algo? Or, does every cert between you and the root
> CA need to be checked?
If you want to check, then every certificate (the leaf and intermediate
CAs) other than the root CA certificate needs to be using SHA-1.
> I guess another way of asking is this, does the rogue intermediate CA
> have the ability to sign another intermediate CA cert which uses SHA1?
Yes. There is no requirement for a CA to use the digest algorithm that
signed the CA's certificate for certs it signs.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
