|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: strawman trust model - cross certificates
From: Daniel Carosone (dan
geek.com.au)
Date: Tue May 18 2004 - 19:16:59 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, May 19, 2004 at 09:51:45AM +1000, Daniel Carosone wrote:
> That trust decision is mapped by either installing additional certs in
> the directory, or (preferably) by issuing a cross-certificate to it
> from the host's CA (again, with suitable constraints for purpose) and
> installing that.[*]
>
> [*] I'm not sure if openssl processes cross certificates, anyone know?
I'm starting to suspect it doesn't, actually.
No matter, in that case what gets signed is a "policy document" that
says "the owner of this system permits stuff signed under this other
key to be installed", and the install tools look for such documents in
some standardised location. Cross certs with particular constraints
and extension oid's are merely one potential form of such generic
documents.
I knew I should have taken my own advice and resisted the temptation
to use technology-specific examples.
--
Dan.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)
iD8DBQFAqqd7EAVxvV4N66cRAokBAKDTNifRTvVJRKxot+UDG7o+f0Ln9ACgkYmQ
tLgYbK0DQYmUuxQj877IJ1U=
=l+k9
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]