> This is an SSH-like scenario (meaning, the subject is already known to > the principal, who has made a choice to use the services provided by > that subject). Instead of trying to display the contents of a > self-signed webserver certificate, the only thing that you can really > truly verify is the public key contained in the certificate. The > piece you're looking for to display is the subjectKeyIdentifier, which > "should be the hash of the public key". This is basically what SSH > displays to its users.
I'm reading the actual X.509 (03/2000) specification and it refers to a subjectPublicKeyInfo field. Is this what you are meaning by "subjectKeyIdentifier"? Are you suggesting that I only display the key hash? Is it really useless to display information even on just the subject? What if the subject doesn't match the server? Shouldn't there be some kind of a warning so a user doesn't just assume it's ok, or is it just not worth it given that a malicious cert could try to have the same subject information? Thanks for all your insight, Chase ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
