[openssl-users] openssl is flexible when verifying
noloader at gmail.com
Mon Apr 6 21:58:22 UTC 2015
On Mon, Apr 6, 2015 at 2:42 PM, Yuting Chen <chenyt at cs.sjtu.edu.cn> wrote:
> As Jeffrey Walton's comment, the standard is
> very malleable, making cert path validation a
> little unpredictable.
Generally speaking, RFC 6125 is used to validate a PKIX certificate.
Unfortunately, the RFC does not mention AKIs and SKIs. As far as
validations go, they do not exist. So the validation steps have to be
synthesized from RFC 5280.
I think it also means anything goes as far as validating the AKIs and
SKIs. PKI is the wild, wild, west.
More information about the openssl-users