Florian Weimer <[EMAIL PROTECTED]> writes: >Let me rephrase my remark: The trust anchor is conceptually separate >from a root CA certificate.
Conceptually yes, in the same way that the Soviet constitition was conceptually quite liberal and protective of individual rights. In practice, no. Look at your browser, email app, ... to see how it's reaally done. >Nothing in that section gives you permission to ignore extensions on the CA >certificate (skipping the first entry in the certification path). In >addition, the trust anchor cannot be used directly to verify certificates >issued by the CA because the subject DN does not match. Ergo, the extensions >on the CA certificate are still in force. I think people might be getting a bit tired of this discussion of PKI quirks so how about the following: you go to the X.509 standards folks and convince them that your interpretation of the spec as given above is the correct one. Once that's done, we can continue. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]