List Info

Thread: Re: OT: SSL certificate chain problems
Re: OT: SSL certificate chain problems
user name
 2007-01-26 00:06:00 

  


  

    Victor Duchovni MorganStanley.com> writes:


>Generally it is enough for a TLS server or client to present its own
>certificate and all *intermediate* CA certificates, sending the root CA cert
>is optional, because if the verifying system trusts the root CA in question,

>it has a local copy of that root CA cert. 

In some cases it may be useful to send the entire chain, one such being when a
CA re-issues its root with a new expiry date, as Verisign did when its roots
expired in December 1999.  The old root can be used to verify the new root.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomometzdowd.com


  

  
  
   
     
    

  

    Re: OT: SSL certificate chain problems
  


  

     user name

     2007-01-26 10:42:58
  


  

    

  


  

    On Fri, Jan 26, 2007 at 07:06:00PM +1300, Peter Gutmann wrote:

> Victor Duchovni MorganStanley.com> writes:
> 
> >Generally it is enough for a TLS server or client to present its own
> >certificate and all *intermediate* CA certificates, sending the root CA cert
> >is optional, because if the verifying system trusts the root CA in question,

> >it has a local copy of that root CA cert. 
> 
> In some cases it may be useful to send the entire chain, one such being when a
> CA re-issues its root with a new expiry date, as Verisign did when its roots
> expired in December 1999.  The old root can be used to verify the new root.

Wouldn't the old root also (until it actually expires) verify any
certificates signed by the new root? If so, why does a server need to
send the new root? So long as the recipient has either the new or the
old root, the chain will be valid. Is the problem case when the verifier
has both roots, and the older of the two has expired?

-- 

 /" ASCII RIBBON                  NOTICE: If received in error,
  / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 /  HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomometzdowd.com


  

  
  
   
     
    






 [1-2]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )