> How chaining is different then cross-certification ?.
Chaining is a single link from an End Entity up to a root, or trust
anchor:
A --> CA1 --> CA2 --> ... --> Root
(where a-->b means "B has signed the certificate for A")
Cross-certification is when you have multiple chains that intersect:
A --> CA1 --> CA2 --> ... --> Root
| ^
v |
B --> CAi --> CAii --> ... --> Root'
If B presents a cert to A, A can go up the B chain until it gets to
Root' which is sees has signed by Root, which is one of A's trust
anchors, so A trust B's credentials. (For convenience, we will ignore
the complications added by CRL's or OCSP.)
> If cross-certification means then two CAs sign each other then how we can
> scale to a scenario of more than two CAs in a fully meshed
> cross-certification model ?.
Exactly. :)
The US Government has a project to do this for some of their (Defense
Dept?) PKI's. I forget the name. Put a new mega-root and have everyone
cross-certify with that root. You still get full paths everywhere, but
it's O(2N) instead of O(N**2) certifications.
/r$
--
Zolera Systems, Your Key to Online Integrity
Securing Web services: XML, SOAP, Dig-sig, Encryption
http://www.zolera.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
