OT: SSL certificate chain problems
Victor Duchovni
Victor.Duchovni at MorganStanley.com
Sun Jan 28 01:08:11 EST 2007
On Sat, Jan 27, 2007 at 02:12:34PM +1300, Peter Gutmann wrote:
> Victor Duchovni <Victor.Duchovni at MorganStanley.com> writes:
>
> >Wouldn't the old root also (until it actually expires) verify any
> >certificates signed by the new root? If so, why does a server need to send
> >the new root?
>
> Because the client may not have the new root yet, and when they try and verify
> using the expired root the verification will fail.
I am curious how the expired trusted old root helps to verify the as
yet untrusted new root... Is there a special-case behaviour when the
old and new root share the same DN and public key? Is such special-case
behaviour standard for trust chain verification implementations (allowing
the lifetime of root CAs to be indefinitely extended by issuing new certs
with the same keys)?
--
Viktor.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list