[openssl-dev] OpenSSL and certain PEM formats
Kurt Roeckx
kurt at roeckx.be
Fri Dec 19 19:35:02 UTC 2014
On Fri, Dec 19, 2014 at 03:05:32PM +0000, Viktor Dukhovni wrote:
> On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote:
>
> > Does OpenSSL have documented someplace exactly what it means to have a
> > "TRUSTED CERTIFICATE"?
>
> It is a certificate + auxiliary data which specifies a friendly name
> plus a set of EKUs.
Mozilla provides a list of root certificates and that includes at
least the trust settings for that certificate. In Debian we then
extract the certificates from that so that it can be used by
applications that need to have a list of trusted CAs. However
those trust settings are removed because not everything that wants
to use those certificates understands the trusted certificate. It
would be useful to have a standardised format.
Kurt
More information about the openssl-dev
mailing list