OT: SSL certificate chain problems

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Jan 26 20:12:34 EST 2007


Victor Duchovni <Victor.Duchovni at MorganStanley.com> writes:

>Wouldn't the old root also (until it actually expires) verify any
>certificates signed by the new root? If so, why does a server need to send
>the new root?

Because the client may not have the new root yet, and when they try and verify
using the expired root the verification will fail.

(There's a lot of potential further complications in there that I'm going to
 spare people the exposure to, but that's the basic idea).

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list