Strength in Complexity?
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Jul 7 04:26:09 EDT 2008
Florian Weimer <fw at deneb.enyo.de> writes:
>Let me rephrase my remark: The trust anchor is conceptually separate
>from a root CA certificate.
Conceptually yes, in the same way that the Soviet constitition was
conceptually quite liberal and protective of individual rights.
In practice, no. Look at your browser, email app, ... to see how it's reaally
done.
>Nothing in that section gives you permission to ignore extensions on the CA
>certificate (skipping the first entry in the certification path). In
>addition, the trust anchor cannot be used directly to verify certificates
>issued by the CA because the subject DN does not match. Ergo, the extensions
>on the CA certificate are still in force.
I think people might be getting a bit tired of this discussion of PKI quirks
so how about the following: you go to the X.509 standards folks and convince
them that your interpretation of the spec as given above is the correct one.
Once that's done, we can continue.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list