> -----Original Message----- > From: Steffen DETTMER > > * Johannes Bauer wrote on Fri, Jan 13, 2012 at 14:22 +0100: > [...] > > >>> Or, in other words: Let's assume I have a ultimate root > > >>> (self-signed) "Root" and a branched CA "X". I would like to > > >>> trust "X" and all it's children, but not "Root". Is this > > >>> not possible? > [yes, it is not possible "by default"] > > > Thank you for your clarification. I also do not really see the > > point why the anchor of trust has to be self-signed. > > I also wondered about this time ago. I think when a user > explicitely puts a sub-CA or even a non-CA certificate into the > database of trusted certificates, chain verification could stop > there without knowing the root-CA.
If I remember correctly, there is work going on to enable such functionality in an upcoming release. Perhaps Steve can shed some light on its status. Patrick Eisenacher ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org