In message <[EMAIL PROTECTED]> on Fri, 24 Sep 2004 14:22:06 +0400, Toxa <[EMAIL
PROTECTED]> said:
postfix> > All the arrows shows what the cerificates can verify. It should be
postfix> > easy to see that any path going down from CA0 is impossible, because
postfix> > there's nothing that can verify CA0c1 except for CA0c1 itself. The
postfix> > obvious choices for points of trust are CA0c1 or the user's own CA
postfix> > certificate, giving the following possibilities for users in the CA1
postfix> > realm:
postfix>
postfix> > point of trust = CA0c1 (the cross certification is entirely
postfix> > pointless in this case, BTW):
postfix>
postfix> > [CA0c1] -> [CA2c1] -> [CA2U{x}]
postfix>
postfix> > point of trust = CA1c1:
postfix>
postfix> > [CA1c1] -> [CA2c2] -> [CA2U{x}]
postfix>
postfix> Yes, now I see that [CA1] -> [CA0] -> [CA2] is a completely
postfix> wrong path, but, at last, what will be the chain if I am the
postfix> user of CA1, and the user of CA2 gave me his certificate.
postfix> The situation remains the same, e.g. CA1 and CA2 are both
postfix> still cross-certified and subordinated by CA0. You point the
postfix> choices:
postfix>
postfix> [CA0c1] -> [CA2c1] -> [CA2U{x}]
postfix> [CA1c1] -> [CA2c2] -> [CA2U{x}]
postfix>
postfix>
postfix> But it is impossible to see two chains in certificate in one
postfix> time, right?
Not entirely. It all depends on what points of trust the user has.
Read again what I wrote (quoted above), and note that I have the two
choices depend on the point of trust (i.e. what root certificate the
user has in his list of trusted roots). Now, the reason I say "not
entirely" is that a user in this example might have both CA0c1 and
CA1c1 in his list of trusted roots. It's up to the application to
handle that, and unfortunately, not all applications know how to.
postfix> And as I can understand you, both are correct. This wonders
postfix> me. Does the chain depends on something else? How can I
postfix> control it? How can I choose between those two paths?
The choice is with the user and exactly what they import.
postfix> Remebmer, users has both cross-certificate and root CA0
postfix> certificate imported (in case the chain depends on present
postfix> certificates user has imported).
Why on earth should all users need to have both cross certificates?
And if they have CA0c1 as a point of trust, why on earth would they
need anything else at all? There's absolutely no need for all users
to have all those certificates at once. If you do that, then you'll
end up with a mess, and possibly with confused software (as I said,
not all applications know how to handle branches in verification
paths).
Cheers,
Richard
-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.
--
Richard Levitte [EMAIL PROTECTED]
http://richard.levitte.org/
"When I became a man I put away childish things, including
the fear of childishness and the desire to be very grown up."
-- C.S. Lewis
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
