Stephen Kent wrote: > >Frank Balluffi said: > > > > > >The client should supply some subset of each requested path > > > which must > > > >include the least significant certificate and optionally: > > > > > > > >- one or more intermediate certificates > > > >- one or more trusted certificates > > > >Steve Kent said: > > > > > An intermediate cert that is not trusted, but is not the end of a > > > partial path? Why? This is getting complicated.
One good reason to allow the client to supply to a DPD server an arbitrary collection of certificates is that this is exactly what's delivered in a signed S/MIME message: a bunch of certificates that may be useful in building a path from a trust anchor to the sender. Multiple intermediate certificates are explicitly allowed.
For instance, I might have an EE cert from Sun, which has CA certs from Thawte and the Federal Bridge CA. When sending an email, I might include all of these certs with the message. The DPD server can use these in conjunction with the client's trust anchors (perhaps a self-signed Thawte cert) to build a path.