On Tue, Jul 05, 2005, Martin Kraemer wrote:

> > Since then CA checks have been made mandatory in the code even if "Any
> > Purpose" is set. So if you actually tried to use that certificate as a CA it
> > would be rejected.

> If that is so, then how can the following happen (with a recent
> openssl-dev):

[example of ca utility]

The 'ca' utility doesn't currently check the validity of the CA certificate it
is signing with. So it will happily sign with an invalid CA but the
verification routines will reject it.

Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org