> -----Original Message-----
> From: Steffen DETTMER
>
> * Johannes Bauer wrote on Fri, Jan 13, 2012 at 14:22 +0100:
>  [...]
> > >>> Or, in other words: Let's assume I have a ultimate root
> > >>> (self-signed) "Root" and a branched CA "X". I would like to
> > >>> trust "X" and all it's children, but not "Root". Is this
> > >>> not possible?
> [yes, it is not possible "by default"]
>
> > Thank you for your clarification. I also do not really see the
> > point why the anchor of trust has to be self-signed.
>
> I also wondered about this time ago. I think when a user
> explicitely puts a sub-CA or even a non-CA certificate into the
> database of trusted certificates, chain verification could stop
> there without knowing the root-CA.

If I remember correctly, there is work going on to enable such functionality in 
an upcoming release. Perhaps Steve can shed some light on its status.

Patrick Eisenacher
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to