On Wed, Sep 09, 2015 at 12:07:43PM +0000, Viktor Dukhovni wrote: > > > > Are you saying I can't sign the cert with another cert > > (the pubkey is easy to extract from the cert) with openssl? > > If you control a trusted root CA, or an intermediate CA issued > (possibly indirectly) by a trusted root CA, you can sign anything > you want and it will be trusted. The fact that malfeasant CAs can > compromise security is not new. > > If you don't control a trusted CA, what significance would such a > signature carry? Yes, most certificates (sometimes constrained by > KeyUsage) can be used for signing, but unless "CA=true", they can't > be used to sign other certificates that will be trusted by peers. > I am gonna leave this list very soon. Feel free to CC me with answer: If I am CA and sign cert requests with vanilla openssl, will I sign a composite $q$?
