On Sat, Jan 27, 2007 at 02:12:34PM +1300, Peter Gutmann wrote:

> Victor Duchovni <[EMAIL PROTECTED]> writes:
> 
> >Wouldn't the old root also (until it actually expires) verify any
> >certificates signed by the new root? If so, why does a server need to send
> >the new root?
> 
> Because the client may not have the new root yet, and when they try and verify
> using the expired root the verification will fail.

I am curious how the expired trusted old root helps to verify the as
yet untrusted new root... Is there a special-case behaviour when the
old and new root share the same DN and public key? Is such special-case
behaviour standard for trust chain verification implementations (allowing
the lifetime of root CAs to be indefinitely extended by issuing new certs
with the same keys)?

-- 
        Viktor.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to