At the risk of seeming even more confused than usual...
There's a lot of theory out there about cross certification and bridges etc, but as far as I can tell it is really all theory, and will REMAIN theory until the various "relying parties", that is, the standard web browsers, can properly process what are called "branched certificate chains". It is my belief that we are not yet there, so trying to do anything more complicated than a simple linear certificate chain is asking for trouble.
Am I hopelessly rooted in the past, or is this a reasonable analysis?
Toxa wrote:
Would you mind to clear it out for me... It any CA has been cross-certified with another one, all users of that CA have to import their CA's cross-certificate in order to trust users of another CA, but they still has to keep old CA cert, right? What if user import new cross-certificate only, without installing old CA cert? I suppose it depends on functionality of cross-certificate... And the last one, imagine two cross-certified CAs which were, for example, self-signed, suddenly resign their root certs in order to be subordianted by new Root CA (e.g. their new certificates signed by those root CA). What about new certificate chain for users of those CAs, will it be based on cross ceritifcate, of based on new root CA.
e.g.
CA1 and CA2 are cross-certified, both subordinated by CA0. For user of CA1, picking certificate of user of CA2, the chain will be:
[CA1] -- [CA2]
or
[CA1] -- [CA0] -- [CA2]
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
