[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Self-signed root transport and CA expiration

To: ssl-talk@xxxxxxxxxxxx, ietf-pkix@xxxxxxxxxx
Subject: Re: Self-signed root transport and CA expiration
From: dpkemp@xxxxxxxxxxxxxx (David P. Kemp)
Date: Tue, 19 Nov 1996 09:11:42 -0500

> There's been some discussion recently on whether it is appropriate to
> include self-signed root CA certificates in a certificate chain being sent
> to support a particular certificate. (I've seen this both with respect to
> S/MIME and SSL.) One point in support of sending roots, which I haven't
> seen mentioned, is the question of resolving CA keys.


Tim,
  I'm missing something in the context of this question - what is the
purpose of sending the root CA certificate?

Since the receiver of the certificate chain must validate the 2nd 
(1 level down from root) cert with the root's securely-configured
public key (i.e. not a putative root key received on-the-fly), what
is the benefit of *ever* sending the root cert as part of a chain?

In 1999 when the Verisign root expires, it's probably best to install
the new root cert using the same procedure the old one was installed
with in the first place (verifying fingerprints from a newspaper
ad, physical transport, or whatever).  Anything else is just
begging for trouble.

        dpk

Follow-Ups:
- Re: Self-signed root transport and CA expiration
  - From: Tim Dierks

Prev by Date: Delivery-Report (failure) for deane.erwin@gsa.gov
Next by Date: unsubscribe
Previous by thread: Self-signed root transport and CA expiration
Next by thread: Re: Self-signed root transport and CA expiration
Index(es):
- Date
- Thread