On Fri, Jun 04, 2010, Peter Sylvester wrote: > On 06/03/2010 06:11 PM, Dr. Stephen Henson wrote: >> On Thu, Jun 03, 2010, jeff wrote: >> >> >>> I have an example, detailed below, that specifies permitted and excluded >>> subtrees for a sub-CA. Later it uses the sub-CA cert to sign certificate >>> requests adhering to and violating the name constraints both, even >>> though the nameConstraints are marked as critical. >>> Is this OpenSSL misbehaving or did I miss something when creating the >>> sub-CA certificate or issuing the user certificate? >>> thanks/jeff >>> >> This would be much easier to test if you'd attached all the relevant >> certificates and how you are testing them. IMO >> > I do not think that there is any code in openssl that > checks during creation whether a new certificate would violate > some naming constraints. >
Yes you are correct. Currently constraints are not checked when a certificate is created using either the 'ca' or 'x509' utilities. It wasn't clear, at least to me, as to whether the report referred to just after creation or during some verification process. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
