OT: SSL certificate chain problems

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Jan 26 20:12:34 EST 2007

Victor Duchovni <Victor.Duchovni at MorganStanley.com> writes:

>Wouldn't the old root also (until it actually expires) verify any
>certificates signed by the new root? If so, why does a server need to send
>the new root?

Because the client may not have the new root yet, and when they try and verify
using the expired root the verification will fail.

(There's a lot of potential further complications in there that I'm going to
 spare people the exposure to, but that's the basic idea).


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list