Re: Securing a CA

Thu, 22 Apr 2004 08:36:01 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Um, feel free to point me elsewhere, but I'm having trouble visualizing
what's being discussed.  I keep reading "branched certificate chain", but
what I understood from the description is like this:

Before:                    OurRoot ---> Level1 ---> EndUsers
After:      IdenTrust ---> OurRoot ---> Level1 ---> EndUsers

where the arrow is pronounced "signed".  In what way is this branched?

Now, if you did it this way:

Before:     OurRoot ---> Level1 ---> EndUsers

            OurRoot  \
After:                --> Level1 ---> EndUsers
                      -->
            IdenTrust/

(That is, two roots have signed the Level1 CA's cert.) then I could see
calling it "branched", and that a very simple verification algorithm could
be confused.  But multiple signatures don't seem to be allowed by the
ASN.1 definition of Certificate that I find in RFC3280, so this can't
happen.

I guess that the "branching" is actually this:  the verification code
reaches a point at which it is known that a certificate for OurRoot is in
our store of trusted roots, and *also* that a different, non-selfsigned
certificate was provided by the other end.  The code could:

o  check first in its own store, when verifying Level1, see a selfsigned
   cert. that is trusted, and consider the chain completed;

o  check first in the stack of cert.s offered in the exchange, see that
   OurRoot is itself a subordinate cert., and continue chaining back to
   IdenTrust;

o  check *both*, note a discrepancy, yell "bloody murder!" and ask the
   user for a decision.

If I've misunderstood the problem, what would you recommend I read?

- -- 
Mark H. Wood, Lead System Programmer   [EMAIL PROTECTED]
Open-source executable:  $0.00.  Source:  $0.00  Control:  priceless!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/

iD8DBQFAh+WUs/NR4JuTKG8RAi/eAJ4wirlIcDZTUNVGnlp6U+DyVXl35wCfX2i6
HQ99YtYMAilcyLM/i1pmZv4=
=PHLU
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to