OT: SSL certificate chain problems
Victor Duchovni
Victor.Duchovni at MorganStanley.com
Tue Jan 30 20:34:37 EST 2007
On Wed, Jan 31, 2007 at 01:57:04PM +1300, Peter Gutmann wrote:
> Victor Duchovni <Victor.Duchovni at MorganStanley.com> writes:
>
> >What I don't understand is how the old (finally expired) root helps to
> >validate the new unexpired root, when a verifier has the old root and the
> >server presents the new root in its trust chain.
>
> You use the key in the old root to validate the self-signature in the new
> root. Since they're the same key, you know that the new root supersedes the
> expired one.
So this is a special trick to extend root CA lifetimes. How widely is
this logic implemented, and is extending root CA key lifetime in this
manner standard practice? I may have to revise the Postfix documentation
to advise users to send the root cert.
My most recent experience is ironically in the opposite direction:
Peer finally upgrades from Windows Server 2000 to Windows Server 2003,
and replaces unexpired Verisign CA certs (updated at some point in
the past in the working Windows 2000) with now expired CA certs that
were good way back, when the Windows 2003 CDs were burned :-)
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list