Victor Duchovni <[EMAIL PROTECTED]> writes: >What I don't understand is how the old (finally expired) root helps to >validate the new unexpired root, when a verifier has the old root and the >server presents the new root in its trust chain.
You use the key in the old root to validate the self-signature in the new root. Since they're the same key, you know that the new root supersedes the expired one. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]