Victor Duchovni <[EMAIL PROTECTED]> writes:

>Generally it is enough for a TLS server or client to present its own
>certificate and all *intermediate* CA certificates, sending the root CA cert
>is optional, because if the verifying system trusts the root CA in question,
>it has a local copy of that root CA cert. 

In some cases it may be useful to send the entire chain, one such being when a
CA re-issues its root with a new expiry date, as Verisign did when its roots
expired in December 1999.  The old root can be used to verify the new root.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to