Actually, there's a paper that was pointed out to me not too long ago (by Philipp Gühring of CAcert.org) -- it /should/ be possible, however there's a severe lack of support in the current implementations.
http://www.dfn-pca.de/bibliothek/reports/pki-linking/report-linking-final-1.0.2.pdf (CC:AT-NC-SA) I would like to see support made much more available. -Kyle H On 2/28/06, Alain Damiral <[EMAIL PROTECTED]> wrote: > Hi, > > This question might be slightly silly and out of place but this > conversation brought it up to me. I don't remember seeing the answer... > > Is it possible to send several chains, each rooted by a different CA ? > And then let the client determine if he trusts one of those CAs. > > Cheers, > > - Alain > > Kyle Hamilton wrote: > > >The only certificates that must be sent are the server identification > >and the certs up to (but not including) the trust anchor. (Since the > >client already has the trust anchor, it will verify against its local > >copy of the root CA, not the copy of the root CA that came from the > >connection.) > > > >Sending the extra certificate doesn't hurt, though. > > > >-Kyle H > > > >On 2/27/06, Brian Candler <[EMAIL PROTECTED]> wrote: > > > > > >>On Mon, Feb 27, 2006 at 07:36:16PM +0000, Brian Candler wrote: > >> > >> > >>>Ah. I had just used -cert ../server.example.com-cert.pem (where this file > >>>contains all the certificates). So now I've added -CAfile as well, pointing > >>>to the same file: > >>> > >>>#!/bin/sh > >>>cd content > >>>openssl s_server -cert ../server.example.com-cert.pem \ > >>> -CAfile ../server.example.com-cert.pem \ > >>> -key ../server.example.com-key.pem \ > >>> -WWW > >>> > >>>And it works. I've removed the sub-CA certificate and its symlink from > >>>/etc/ssl/certs, but the client can still verify the chain: > >>> > >>> > >>As a follow-up for the benefit of the list archive: to get this to work in > >>Apache+mod_ssl I just had to uncomment > >> > >>SSLCertificateChainFile /usr/local/etc/apache/ssl.crt/ca.crt > >> > >>from httpd.conf, and point it at a file containing the sub-CA's certificate > >>(signed by the root CA) and the root CA's own self-signed certificate. > >> > >>Regards, > >> > >>Brian. > >>______________________________________________________________________ > >>OpenSSL Project http://www.openssl.org > >>User Support Mailing List openssl-users@openssl.org > >>Automated List Manager [EMAIL PROTECTED] > >> > >> > >> > >______________________________________________________________________ > >OpenSSL Project http://www.openssl.org > >User Support Mailing List openssl-users@openssl.org > >Automated List Manager [EMAIL PROTECTED] > > > > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]