> An alternative to cross-certification called bridge CAs [ ], > initially known as overseer CAs when they were developed > for the Automotive Network Exchange (ANX) program and > which were in turn based on even earlier pre-PKI work on > inter-realm authentication [ ][ ][ ][ ], avoids this problem to > some degree by adding a single super-root that bridges two > or more root CAs. Bridges have a similar end result, as far as what you trust, to what you say. But to clarify, a bridge is not a trusted root. Relying parties do not install the bridge certificate as a trusted root. They continue to use their original CA. But now certificates from another CA can chain up through the bridge to the original trusted root. Mike _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography