OT: SSL certificate chain problems

Geoffrey Hird geoffrey at arcot.com
Wed Jan 31 17:25:00 EST 2007


Victor Duchovni wrote:
> On Sun, Jan 28, 2007 at 12:47:18PM -0500, Thor Lancelot Simon wrote:
>
> > That doesn't make sense to me -- the end-of-chain (server or client)
> > certificate won't be signed by _both_ the old and new root, 
> I wouldn't
> > think (does x.509 even make this possible)?
> >
> > Or do I misunderstand?
> 
> The key extra information is that old and new roots share the same
issuer
> and subject DNs and public key, only the start/expiration dates
differ,
> so in the overlap when both are valid, they are interchangeable, both
> verify the same (singly-signed) certs.

To expand on what Duchovni said, you might want to look into
the concept of cross-certificates (which are heavily used with
bridges).  The surprising thing, at first, is that you can issue
any certificate after it was originally issued.  I can issue
the leaf cert you got from Verisign last year.  Tomorrow, I
could create my own SS Root CA, and issue a cert for the
Verisign Intermediate CA, by putting myself as the Issuer,
the Verisign Intermediate CA as the Subject, and putting the
Verisign ICA public key in it.  Your leaf cert will now chain
happily up to either the Verisign SS Root, or my new SS Root.
So this is not just a thing that works for renewing self-signed
roots.

> What I don't understand is how
> the old (finally expired) root helps to validate the new unexpired
root,
> when a verifier has the old root and the server presents the new root
> in its trust chain.

I shouldn't speak for Gutmann, but I assumed that he meant
that the server should send the new root *before* the old root
expires, so that the client can prepare in advance for the expiry.

As an aside, there are some funny issues around having a
signature done before the signer cert expired, but deciding
*after* the cert has expired, whether to trust it.  It was
ok yesterday, but maybe it's not ok today -- what has changed...?

Geoffrey

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list