In message <[EMAIL PROTECTED]> on Thu, 23 Sep 2004 11:25:06 -0400, Charles B Cranston <[EMAIL PROTECTED]> said:
zben> At the risk of seeming even more confused than usual... zben> zben> There's a lot of theory out there about cross certification and zben> bridges etc, but as far as I can tell it is really all theory, zben> and will REMAIN theory until the various "relying parties", that zben> is, the standard web browsers, can properly process what are zben> called "branched certificate chains". It is my belief that we zben> are not yet there, so trying to do anything more complicated zben> than a simple linear certificate chain is asking for trouble. Actually, this is just half true. For simple cross certification like I described in my previous post, the verification path for each user is still linear. However, as soon as the same CA creates more than one path to another CA, you're toast. The minimum example for such a can of worms is a group of three CAs that are fully meshed (i.e. every one of them is cross certified with the two others). zben> Am I hopelessly rooted in the past, or is this a reasonable zben> analysis? It's a reasonable analysis for complicated meshes. As long as each user has a single path of verificatoin, you're out of trouble, though. Cheers, Richard ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
