On Thu, Jun 03, 2010 at 09:45:36PM +0200, Erwann ABALEA wrote:
> Hodie III Non. Iun. MMX, Victor Duchovni scripsit:
> > On Thu, Jun 03, 2010 at 02:32:10PM -0400, jeff wrote:
> >
> > > > I would expect such constraints to only apply when
> > > > certificates are being *verified*. There seems to be
> > > > little point in preventing a CA from attempting to sign
> > > > violating certificates.
> > >
> > > Yes I later tried to "verify" and I still got no complaints.
> >
> > As I said, the "verify" command only checks the trust chain, peer name
> > verification, is not in scope.
>
> It could fail to validate the chain, given the fact that the extension
> is set critical, and not handled, even if recognized.
This is what the 1.0.0 version in fact does, but it also (as I just
learned) supports name constraints. The 0.9.8 version of the verify(1)
command-line utility does not check critical extensions:
if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1;
The API raises the error, but verify(1) does not report it. In 1.0.0
there is a new command-line switch to ignore critical extensions.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
