-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Um, feel free to point me elsewhere, but I'm having trouble visualizing what's being discussed. I keep reading "branched certificate chain", but what I understood from the description is like this:
Before: OurRoot ---> Level1 ---> EndUsers After: IdenTrust ---> OurRoot ---> Level1 ---> EndUsers where the arrow is pronounced "signed". In what way is this branched? Now, if you did it this way: Before: OurRoot ---> Level1 ---> EndUsers OurRoot \ After: --> Level1 ---> EndUsers --> IdenTrust/ (That is, two roots have signed the Level1 CA's cert.) then I could see calling it "branched", and that a very simple verification algorithm could be confused. But multiple signatures don't seem to be allowed by the ASN.1 definition of Certificate that I find in RFC3280, so this can't happen. I guess that the "branching" is actually this: the verification code reaches a point at which it is known that a certificate for OurRoot is in our store of trusted roots, and *also* that a different, non-selfsigned certificate was provided by the other end. The code could: o check first in its own store, when verifying Level1, see a selfsigned cert. that is trusted, and consider the chain completed; o check first in the stack of cert.s offered in the exchange, see that OurRoot is itself a subordinate cert., and continue chaining back to IdenTrust; o check *both*, note a discrepancy, yell "bloody murder!" and ask the user for a decision. If I've misunderstood the problem, what would you recommend I read? - -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Open-source executable: $0.00. Source: $0.00 Control: priceless! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQFAh+WUs/NR4JuTKG8RAi/eAJ4wirlIcDZTUNVGnlp6U+DyVXl35wCfX2i6 HQ99YtYMAilcyLM/i1pmZv4= =PHLU -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]