Daniel Kahn Gillmor <[EMAIL PROTECTED]> writes: > In that case, the distinction between "shell" and "chain" models would be: > > * the chain model implies that the period of validity for an X.509 > certificate is simply the validity period contained in the > certificate. > > * the shell model implies that the period of validity for an X.509 > certificate is the intersection of the validity period in the > certificate and the validity period of the CA's certificate. > > The former is simpler to implement, but the latter seems more solidly > secure. > > Why would a CA need to grant a certificate whose duration was longer > than the CA's own expiration date, unless the CA was extending its own > certificate? And if it wants to extend itself: do we (as users) want > "trusted" root CAs to be able to unilaterally extend their own > expiration date? > > I'd be interested in seeing any other references to these models that > might shed more light, as i'm still not sure i understand the > distinctions.
When trusting a CA certificate, I don't think the expiry date in that certificate matters -- you are only trusting that the public key corresponds to the CA. This is illustrated by older X.509 implementations that accepted trust CA's not encoded as certificates but just public keys and issuer name. Nowadays I think everyone requires a proper X.509 certificate even for the trusted CA's, to be able to validate various X.509 extension limitations. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
