[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL server certificate that has an intermediary certificate in the chain



2011/8/2 Howard Chu <hyc@symas.com>:
> Erwann ABALEA wrote:
>>
>> 2011/8/1 Howard Chu<hyc@symas.com>:
>>>
>>> David Hawes wrote:
>>
>> [...]
>>>
>>> Think about why you would configure such a setup, and what it actually
>>> means. When you have a certificate of your own, signed by a particular
>>> CA,
>>> that obviously means that you must trust that CA. If you're going to
>>> accept
>>> a cert from another party that is signed by a different CA that obviously
>>> means that you must also trust the other CA. There is absolutely nothing
>>> gained from isolating these two CAs, on either side of the session.
>>
>> You've never been into such a situation. That doesn't mean such an
>> isolation is irrelevant.
>
> Go and read the X.509 spec. Go and read the TLS RFC (2246). You're spouting
> nonsense.

I read it really often, as I'm involved in X.509 PKI since 1998,
working for a large PKI operator, starting by being an SET CA operator
for 8 banks and 3 brands. We host dozens of CAs on our facility; we
deploy new ones everywhere in the world, auditing people, writing
CP/CPS; we produced tens of millions of certificates; we produce
millions of OCSP replies every day, and a lot of other services around
PKI.
I know X.509, and I know RFC2246/4346/5246, among others.
Go tell Apache, Sun, Mozilla, Opera, Microsoft, and a bunch of other
vendors that isolation of CAs is irrelevant, and come here after.

-- 
Erwann.