OT: SSL certificate chain problems
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Feb 5 03:59:35 EST 2007
Victor Duchovni <Victor.Duchovni at MorganStanley.com> writes:
>On Wed, Jan 31, 2007 at 01:57:04PM +1300, Peter Gutmann wrote:
>> You use the key in the old root to validate the self-signature in the new
>> root. Since they're the same key, you know that the new root supersedes the
>> expired one.
>
>So this is a special trick to extend root CA lifetimes. How widely is this
>logic implemented, and is extending root CA key lifetime in this manner
>standard practice?
Like a lot of PKI, it's total pot-luck ("crapshoot" in the US I guess) as to
what a particular implementation does when it encounters this situation. It
may work, it may not work, it may work under some circumstances, or it may do
anything in between.
(I've seen some implementations that require a "system rebuild" (meaning
reinstall all your PKI software with the new roots) to roll over roots, all
the way through to ones that handle the situation automatically. There really
is no way to tell what a particular implemenation will do, apart from trying
it out and seeing what happens).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list