On 2012-02-24 00:58 +0530 (Fri), Ashok C wrote:
> We too have the use cases of those four certificates. Now what would be the
> best programmatic way to find out for sure if a given certificate is a CA
> certificate or not, be it a v3 or a v1.
Well, in the end, given your conditions, you can't be absolutely sure.
For v1 certificates, it's not the certificate itself but how it's used
that determines of it's a "CA certificate" or not.
This actually common to a lot of things in the X.509 world: the syntax
is well defined, but the semantics are not. So when it comes to precise
semantics, you use what others are using in their particular corner of
the PKI world, or define them yourself if you're in your own corner.
This is why we have not only the X.509 standards, but profiles of them
such as RFC 5280 (Internet X.509 Public Key Infrastructure, or PKIX) and
RFC 2818 (HTTP Over TLS).
(Anybody, please feel free to correct me if I'm wrong, but this is
basically what I've gotten from many hours of study on this over the
last few months in preparation for setting up my own PKI.)
cjs
--
Curt Sampson <c...@cynic.net> +81 90 7737 2974
http://www.starling-software.com/
I have always wished for my computer to be as easy to use as my telephone;
my wish has come true because I can no longer figure out how to use my
telephone. --Bjarne Stroustrup
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
