Mark H. Wood wrote:
Um, feel free to point me elsewhere, but I'm having trouble visualizing
what's being discussed. I keep reading "branched certificate chain", but
what I understood from the description is like this:
Before:OurRoot ---> Level1 ---> EndUsers
After: IdenT
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Um, feel free to point me elsewhere, but I'm having trouble visualizing
what's being discussed. I keep reading "branched certificate chain", but
what I understood from the description is like this:
Before:OurRoot ---> Level1 --->
However, I must ask the question: "Have you actually DONE this before?"
Yup. But not with SSL and browsers. You're focused on that, but I was
talking in general. In reality, of course, everyone just buys a
commercial SSL cert rather than try to fight with the browsers's (sic!)
trust issues.
Rich Salz wrote:
I was envisioning something much simpler.
Existing applications that know about the "root" CA work without
configuration changes. New applications that need to know about the new
"larger" PKI just add the new root to their list of trust anchors. I
suppose that's really a bri
I was envisioning something much simpler.
Existing applications that know about the "root" CA work without
configuration changes. New applications that need to know about the new
"larger" PKI just add the new root to their list of trust anchors. I
suppose that's really a bridge-CA.
I don't t
Actually, it might be as easy as changing the "name" of the root
and issuing a new L1 certificate. The branch happens when an
unmodified client (which still has the local root installed)
needs to decide who has signed the L1 certificate. Its two
choices are
1. the local root
2. the "missing link
Follow up to previous posting: I did try to do some experimentation
in the context of trying to design a clean transition from the root
we made in 1998 to the root I made in 2003. I did not have a great
deal of success because the browsers I was working with at the time
(Netscape 4.7x and IE 4 or
Rich Salz wrote:
At the risk of being immodest, you might find this column useful:
http://webservices.xml.com/pub/a/ws/2003/12/09/salz.html
This is a verbatim quote from the text at that URL:
> The root will sign the Level 1 CA and then be taken offline.
> Anyone who wants to validate any iden
> I need some info about the protocols or standars for securing a CA Root
At the risk of being immodest, you might find this column useful:
http://webservices.xml.com/pub/a/ws/2003/12/09/salz.html
/r$
--
Rich Salz Chief Security Architect
DataPower Technology ht
