[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SSL server certificate that has an intermediary certificate in the chain
2011/8/1 Howard Chu <hyc@symas.com>:
[...]
> If there were indeed anything to be gained by such a feature, it would also
> need to be implemented on clients. Look around - do any web browsers allow
> you to isolate CAs like this?
Yes. You can basically isolate CAs into 3 categories (they can interleave):
- CAs trusted to issue server certs
- CAs trusted to issue email certs
- CAs trusted to issue code signing certs
> It's utter nonsense.
What is non-sense is having a bag full of CAs for mixed usage. More,
you even mix CAs that need to be sent to the client (so it can build a
certificate path) with CAs that the server trust (to verify client
certs).
--
Erwann.