|
List Info Thread: Re: OT: SSL certificate chain problems
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
Re: OT: SSL certificate chain problems |
|
List Info Thread: Re: OT: SSL certificate chain problems
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
MorganStanley.com>
writes:
>On Wed, Jan 31, 2007 at 01:57:04PM +1300, Peter Gutmann
wrote:
>> You use the key in the old root to validate the
self-signature in the new
>> root. Since they're the same key, you know that
the new root supersedes the
>> expired one.
>
>So this is a special trick to extend root CA lifetimes.
How widely is this
>logic implemented, and is extending root CA key lifetime
in this manner
>standard practice?
Like a lot of PKI, it's total pot-luck
("crapshoot" in the US I guess) as to
what a particular implementation does when it encounters
this situation. It
may work, it may not work, it may work under some
circumstances, or it may do
anything in between.
(I've seen some implementations that require a "system
rebuild" (meaning
reinstall all your PKI software with the new roots) to roll
over roots, all
the way through to ones that handle the situation
automatically. There really
is no way to tell what a particular implemenation will do,
apart from trying
it out and seeing what happens).
Peter.
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomo