Mark Reynolds via RT wrote:
> This is a bug report for OpenSSL version 0.9.8e. The top level summary is that
> misconfigured certificates with a bogus Issuer field are processed as if the field
> was valid.
> The Issuer should have an attribute of commonName (OID and a value
> of some kind of string (e.g. T61String). If instead it has a bogus attribute, such
> as the obsolete OID, the command openssl x509 -in badcert.pem -inform PEM -noout -text
> should report that the certificate has no issuer. Instead it reports an issuer
> containing the literal string "" followed by the string value of this OID.
> This seems like a clear violation of RFC3280 to me.

I don't see how not having a commonName is a violation of RFC 3280. I
would really like to agree with you, but I know there are roots in the
wild that don't have a CN field. I may have missed some text in the RFC
- could you reference a specific section? I agree it's 'best practice'
but I think some CA's don't follow that practice...
__________________________________________________ ____________________
OpenSSL Project
Development Mailing List
Automated List Manager