On 03/23/2009 08:24 AM, Simon Josefsson wrote: > Check RFC 5280: the TBSCertificate structure contains the version, and > the structure is signed, so to change a V1 cert to V3 cert you'd have to > re-sign it. That's possible of course, but you'll need the private key. > And in that case, you'd might as well generate a new V3 certificate > rather than converting information from an old one.
OK, that makes sense. But the holder of the secret key corresponding to
a V1 certificate could very well create a matching V3 certificate...
> I'm not sure what I meant above though: if the public key is the same,
> certs signed by the V1 cert may correctly chain back to the V3 cert.
This is the interesting bit, i think. If we could sort this out, test
it, and document how it, then we could provide a series of steps for CAs
to follow if they wanted to bring their root certificates into the
modern era. (of course, convincing these particular CAs to transform
their root certificates is another story!)
--dkg
signature.asc
Description: OpenPGP digital signature
