Um, feel free to point me elsewhere, but I'm having trouble visualizing what's being discussed. I keep reading "branched certificate chain", but what I understood from the description is like this:
Before: OurRoot ---> Level1 ---> EndUsers After: IdenTrust ---> OurRoot ---> Level1 ---> EndUsers
What is the contents of the "issuer" field of the cert marked OurRoot?
Before: our name After: IdenTrust's name
So consider a browser that still has the OLD OurRoot sitting it its disk file, and then it gets ANOTHER DIFFERENT OurRoot in the chain shipped down from the server.
Now, it starts building the chain with EndUsers, gets to Level1 OK, but when it wants to extend the next time, it has two choices, the OLD OurRoot still in its disk file, and the NEW OurRoot (which is not actually a root anymore) that came from the server.
I could draw you more complicated diagrams in the context of the problem I was trying to solve last year: transparent upgrade from an old local root to a new local root. The approach I was trying was various forms of "old root signed by new root" and "new root signed by old root" but as I said I cannot show you something that actually works because I didn't find one... :-)
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
