On Wed, Sep 09, 2015 at 03:02:36PM +0300, Georgi Guninski wrote: > On Wed, Sep 09, 2015 at 11:55:36AM +0000, Viktor Dukhovni wrote: > > > > The expected time for this sort of check is when CAs sign certificates, > > not when TLS handshake participants validate the certificates of > > their peers (issued by trusted issuers, or else why bother). > > Are you saying I can't sign the cert with another cert > (the pubkey is easy to extract from the cert) with openssl? If you control a trusted root CA, or an intermediate CA issued (possibly indirectly) by a trusted root CA, you can sign anything you want and it will be trusted. The fact that malfeasant CAs can compromise security is not new. If you don't control a trusted CA, what significance would such a signature carry? Yes, most certificates (sometimes constrained by KeyUsage) can be used for signing, but unless "CA=true", they can't be used to sign other certificates that will be trusted by peers. -- Viktor.
