Victor Duchovni <[EMAIL PROTECTED]> writes:

>Generally it is enough for a TLS server or client to present its own
>certificate and all *intermediate* CA certificates, sending the root CA cert
>is optional, because if the verifying system trusts the root CA in question,
>it has a local copy of that root CA cert. 

In some cases it may be useful to send the entire chain, one such being when a
CA re-issues its root with a new expiry date, as Verisign did when its roots
expired in December 1999.  The old root can be used to verify the new root.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to