Victor Duchovni <[EMAIL PROTECTED]> writes: >Generally it is enough for a TLS server or client to present its own >certificate and all *intermediate* CA certificates, sending the root CA cert >is optional, because if the verifying system trusts the root CA in question, >it has a local copy of that root CA cert.
In some cases it may be useful to send the entire chain, one such being when a CA re-issues its root with a new expiry date, as Verisign did when its roots expired in December 1999. The old root can be used to verify the new root. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
