[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: What is the order of certificates in a certificate chain?

To: ietf-pkix@xxxxxxx
Subject: RE: What is the order of certificates in a certificate chain?
From: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Date: Thu, 20 Apr 2000 11:31:57 -0400 (EDT)
Reply-to: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>

> From: Peter Williams <peterw@valicert.com>
> 
> Does a CA who sends such certificates to a user
> bear responsibility for the current, individual reliability
> of any certificate is sends? I.e.
> can one assume that the subscriber's CA has just checked the 
> certs' non-revoked status, or the provider's contiuing
> accreditation certificate status, under the CA domain's or 
> another regulators governing policy, prior to inducing others 
> to use or rely on those certificates.
> 
> Surely, by virtue of supplying CA certifificates to a subscriber
> at such a critical juncture one is performing an authoritative,
> legal introduction to the entites bound to the public keys?


Surely, one is not.  The bag-o'-certs is *nothing* more than a
pile of information that may save the subscriber the effort of
looking them up in a directory or elsewhere.  It is entirely
up to the subscriber to choose a trust anchor and validate all
certs from that anchor.  If one or more provided certs cannot
be so validated, I don't see how they can be regarded as
"introduced" or "considered reliable by a TTP-grade CA".

What, precisely, is a subscriber supposed to do with intermediate
(non-self-signed) certificates which have been "introduced" by a CA?

Dave

Follow-Ups:
- CA process
  - From: Akihiro Takahashi

Prev by Date: about Basic constraints
Next by Date: Re: about Basic constraints
Previous by thread: RE: What is the order of certificates in a certificate chain?
Next by thread: CA process
Index(es):
- Date
- Thread