[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can we make this kind of certificate?

To: ietf-pkix@xxxxxxx
Subject: Re: Can we make this kind of certificate?
From: Jean-Marc Desperrier <jmdesp@xxxxxxx>
Date: Sat, 06 Mar 2004 11:01:32 +0100
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <> <> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:) Gecko/20040226

Richard Levitte - VMS Whacker wrote:

levitte> ...  However, there's nothing stopping you from having
levitte> several certificates, signed by several CAs, from the same
levitte> certificate request.  [...]

[...]  I haven't analysed the effects of such action in any
way, and before rushing to do what I said, I'd give it some extra
careful thought if I were you. [...]

It better be correctly interpreted correctly by software, because it's susceptible to happen all the time. This said it can be a cause for problems with Microsoft CAPI that relies too much on key based AKI/SKI.

One case were it could happen even if not intented is the earlier Gemplus smart card some years ago (the GPK4000 model), that were not able to do on-board generation, so they would pretend to generate a key and give back always the same one.

Moreover, this case is very similar to cross-certificates.

References:
- Can we make this kind of certificate?
  - From: Jaeho Yoon
- Re: Can we make this kind of certificate?
  - From: Richard Levitte - VMS Whacker
- Re: Can we make this kind of certificate?
  - From: Richard Levitte - VMS Whacker

Prev by Date: Re: Can we make this kind of certificate?
Next by Date: Re: Can we make this kind of certificate?
Previous by thread: Re: Can we make this kind of certificate?
Next by thread: Re: Can we make this kind of certificate?
Index(es):
- Date
- Thread