I was envisioning something much simpler.
Existing applications that know about the "root" CA work without configuration changes. New applications that need to know about the new "larger" PKI just add the new root to their list of trust anchors. I suppose that's really a bridge-CA.
This is under some kind of assumption that the branched certificate chain does not totally confuse the verifier and cause it to crash or return "I dunno so fail!". It seems, with some futher thought, that one might assume that if the chain will verify either way, it doesn't matter WHICH way the client chooses to go. However, this IS making an assumption about client software behaviour.
However, I must ask the question: "Have you actually DONE this before?" If anybody on the list actually has experience with moving from a locally created root to being under one of the "well-known PKI vendors" a short note on successes, failures, and/or pitfalls would I think be greatly appreciated by the readership.
Also, I guess I need to point out the vagueness of your reference above: "New applications that need to know .. just add the new root to their list of trust anchors." This is not talking about servers or clients and could imply that explicit action is required AT THE CLIENT which I think we have determined is actually not necessary, at least as long as the old root doesn't interfere with the new chain validation.
I don't think branched cert chains need to get involved, so I don't think I need to qualify or disclaim what I wrote. Yes, I ignored the details of distributing the new root certificate; there's a limit on the column length, ya know. In retrospect, adding "(and get hte new root distirbuted and used)" would probably have been worth adding.
Yes, I understand there is a limit on column length, and that your real purpose was to publicise XKMS :-) So the comment I seized on was just a throw-away platitude, and maybe it was not appropriate for me to have made such a mountain out of that particular molehill.
At any rate, the key point is that if you anchor everything you do under a single root, than moving your tree underneath something else is a lot eaiser if only one "root" has to move, rather than everything.
This is quite true. One of the things we DID have to deal with during our old local root to new local root transition was people who decided to mark the end-user certificate as trusted in their browsers rather than take the risk of trusting our root. Of course that doesn't survive a transition at all... :-)
Best regards -zben
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
