[openssl-dev] OpenSSL and certain PEM formats
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Dec 19 13:47:55 UTC 2014
On 12/18/2014 04:42 AM, Kurt Roeckx wrote:
> On Wed, Dec 17, 2014 at 08:34:52PM +0100, Erwann Abalea wrote:
>> Le 17/12/2014 20:17, Viktor Dukhovni a écrit :
>>> On Wed, Dec 17, 2014 at 10:56:34AM -0800, Sean Leonard wrote:
>>>
>>>> For reference for the group (in case you didn't take a look at the draft),
>>>> the draft documents the following labels:
>>>>
>>>> CERTIFICATE
>>>> ...
>>> Perhaps also "TRUSTED CERTIFICATE"?
>>>
>>> crypto/pem/pem.h:#define PEM_STRING_X509_TRUSTED "TRUSTED CERTIFICATE"
>>
>> It's specific to OpenSSL.
>
> And it would be useful if it wasn't.
It might be useful, but getting the semantics right of what "TRUSTED
CERTIFICATE" actually means is a non-trivial task. I'm not convinced
that OpenSSL's interpretation of it is particularly useful in many
common contexts.
Does OpenSSL have documented someplace exactly what it means to have a
"TRUSTED CERTIFICATE"?
For example, say we're talking about a certificate that i am willing to
accept for the peer foo.example. If i mark it TRUSTED and it has
another SubjectAltName of bar.example, will OpenSSL subsequently accept
it for bar.example as well?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://mta.opensslfoundation.net/pipermail/openssl-dev/attachments/20141219/b235d830/attachment.sig>
More information about the openssl-dev
mailing list