"Michael T. Babcock" wrote:
> I believe I once saw on the Equifax site that they use signing certificates signed
> by Thawte -- so its possible that their certificate is not in the browser but that
> the browser can verify the Equifax certificate against the Thawte cert, and then
> verify yours against the Equifax cert.
An excellent example of the pains of path discovery!
There is, unless I'm very mistaken indeed, currently no standardized way
for a relying party to be able to create this chain of certificates on
its own today. Without a-priori knowledge of the chain it will have to
go through quite an impressive amount of detective work, not to mention
a number of conceivably out-of-band steps (dear mr. support person, I
require your suite of issuer certificates presently, as I am trying to
make use of a secure web server belonging to one of your clients'
clients) in order to collect (and then to actually verify) the
certificates (and don't forget *every* applicable CRL, ARL, dCRL, etc.)
from the respective vendors in this trusted-third-party.
RFC 2377 is a start I guess, but it's currently only informational, and
anyway, all existing PKIs would either have to be rebuilt from scratch
or go through a complete re-naming operation (don't know if the word
lesser is actually applicable to any of these evils) in order to conform
to this.
All existing relying parties would also need to be upgraded to RFC-2377
awareness as well, plus there's some draft somewhere outlining how to
actually *find* the directory server these intermediate certificates
were actually located in. This requires the service locator DNS
extension, which means everybody will have to upgrade to the latest
version of BIND as well. I think we'll probably be discussing the
migration to IPv7 by then. ;-)
Even then, all of the above would also have had to make its way into a
standards document.
So my humble suggestion is that we stick to having the server supply the
certificate chain for the foreseeable (sic?) future. :-)
//oscar
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
