On Sat, Jan 27, 2007 at 02:12:34PM +1300, Peter Gutmann wrote:

> Victor Duchovni <[EMAIL PROTECTED]> writes:
> >Wouldn't the old root also (until it actually expires) verify any
> >certificates signed by the new root? If so, why does a server need to send
> >the new root?
> Because the client may not have the new root yet, and when they try and verify
> using the expired root the verification will fail.

I am curious how the expired trusted old root helps to verify the as
yet untrusted new root... Is there a special-case behaviour when the
old and new root share the same DN and public key? Is such special-case
behaviour standard for trust chain verification implementations (allowing
the lifetime of root CAs to be indefinitely extended by issuing new certs
with the same keys)?


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to