[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL server certificate that has an intermediary certificate in the chain

To: Howard Chu <hyc@symas.com>
Subject: Re: SSL server certificate that has an intermediary certificate in the chain
From: Erwann ABALEA <eabalea@gmail.com>
Date: Tue, 2 Aug 2011 01:33:02 +0200
Cc: David Hawes <dhawes@vt.edu>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=i6iH2oV3EB4D1gL/77eFkMoxDxIewjQz3Js4jv+O35Q=; b=TIsbgyK5m7iAoBrM756yfC2LCY8jxihJWt+BFnHhsQGaQe/rGyL6oqBEeVPblAc0MD osCkOyajEI3kyHRscuQuNqFk8uYvDVTdJ/Dv2O5zpeqI7873joA8+6MVRmzeD5DUd5rL ny2sukyDUqvxXDZ198RtAPy50HV3jkhFqLDe4=
In-reply-to: <4E36DD56.40007@symas.com>
References: <4E330129.4030004@uvm.edu> <alpine.BSO.2.00.1107291208340.11176@morgaine.smi.sendmail.com> <4E334C30.7030004@uvm.edu> <4E33500F.1080006@symas.com> <CA+i=0E6QLNqU4a6mumFm_FtVkwT=AsL6P5RzURVjLVBtUqgsxA@mail.gmail.com> <4E344A05.1050104@symas.com> <4E36D52B.2020208@vt.edu> <4E36DD56.40007@symas.com>

2011/8/1 Howard Chu <hyc@symas.com>:
[...]
> If there were indeed anything to be gained by such a feature, it would also
> need to be implemented on clients. Look around - do any web browsers allow
> you to isolate CAs like this?

Yes. You can basically isolate CAs into 3 categories (they can interleave):
 - CAs trusted to issue server certs
 - CAs trusted to issue email certs
 - CAs trusted to issue code signing certs

> It's utter nonsense.

What is non-sense is having a bag full of CAs for mixed usage. More,
you even mix CAs that need to be sent to the client (so it can build a
certificate path) with CAs that the server trust (to verify client
certs).

-- 
Erwann.

Follow-Ups:
- Re: SSL server certificate that has an intermediary certificate in the chain
  - From: Howard Chu <hyc@symas.com>

References:
- Re: SSL server certificate that has an intermediary certificate in the chain
  - From: David Hawes <dhawes@vt.edu>
- Re: SSL server certificate that has an intermediary certificate in the chain
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: SSL server certificate that has an intermediary certificate in the chain
Next by Date: Re: SSL server certificate that has an intermediary certificate in the chain
Index(es):
- Chronological
- Thread