On Fri, Nov 29, 2013, Erwann Abalea wrote: > Le 29/11/2013 17:53, Erwann Abalea a écrit : > >Le 29/11/2013 16:25, Dr. Stephen Henson a écrit : > > > >>Changing OIDs in the table is problematical. If anything uses them it could > >>break them in all sorts of ways. The NID_* entries would change and text > >>based > >>lookup would no longer work. > > > >The reference ntp server uses that trustRoot one, in fact. And as > >Rob pointed, it compares the text representation of this OID with > >"Trust Root" (the long form) to check if the certificate is > >trusted or not. Similarly, if it finds a certificate with > >1.3.6.1.4 OID (IANA private) as a EKU, the long form will be > >"Private", and ntp will declare this certificate as > >private+trusted. > > Technically, the NID_* version of those OIDs are not used by ntpd. > For each extension found, an X509V3_EXT_print() is done on the > extension, the result is strcmp() with "Trust Root" and/or > "Private", and internal flags are set. > > I'm not sure this code works anyway. >
I wonder if little Bobby Tables every got a certificate. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
