[openssl-dev] OpenSSL and certain PEM formats
Viktor Dukhovni
openssl-users at dukhovni.org
Fri Dec 19 15:09:07 UTC 2014
On Fri, Dec 19, 2014 at 07:02:29AM -0800, Sean Leonard wrote:
> There is also a "TRUSTED CERTIFICATE" label that OpenSSL uses...I believe
> this is a vendor-specific extension but now that I am spelunking through the
> source code I see that it could be abused. Relevant source code/comments
> say:
> https://www.openssl.org/docs/apps/x509.html
What is this "abuse" you speak of. No remote actor injects "trusted
certificates" into the verifier's list of trust anchors. Trusted
certificates are actually "less trusted" certificates, in that
their set of EKUs is potentially constrained.
--
Viktor.
More information about the openssl-dev
mailing list