OT: SSL certificate chain problems
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Jan 26 20:12:34 EST 2007
Victor Duchovni <Victor.Duchovni at MorganStanley.com> writes:
>Wouldn't the old root also (until it actually expires) verify any
>certificates signed by the new root? If so, why does a server need to send
>the new root?
Because the client may not have the new root yet, and when they try and verify
using the expired root the verification will fail.
(There's a lot of potential further complications in there that I'm going to
spare people the exposure to, but that's the basic idea).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list