On Wed, Jan 31, 2007 at 01:57:04PM +1300, Peter Gutmann wrote:

> Victor Duchovni <[EMAIL PROTECTED]> writes:
> 
> >What I don't understand is how the old (finally expired) root helps to
> >validate the new unexpired root, when a verifier has the old root and the
> >server presents the new root in its trust chain.
> 
> You use the key in the old root to validate the self-signature in the new
> root.  Since they're the same key, you know that the new root supersedes the
> expired one.

So this is a special trick to extend root CA lifetimes. How widely is
this logic implemented, and is extending root CA key lifetime in this
manner standard practice? I may have to revise the Postfix documentation
to advise users to send the root cert.

My most recent experience is ironically in the opposite direction:

    Peer finally upgrades from Windows Server 2000 to Windows Server 2003,
    and replaces unexpired Verisign CA certs (updated at some point in
    the past in the working Windows 2000) with now expired CA certs that
    were good way back, when the Windows 2003 CDs were burned :-)

-- 

 /"\ ASCII RIBBON                  NOTICE: If received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to