As with a previous proposal, there are two ways that 'CA redundancy' can be interpreted:
1) Client can take a certificate from either CA. 2) Both CA certificates must be valid. add in the single CA case as case 0 and we get Single point of failure, failure to issue Case 0: Fail (closed) Case 1: Success Case 2: Fail (closed) Single point of failure, issue of false cert Case 0: Fail (open) Case 1: Fail (open) Case 2: Fail (closed) If you add in a three CA option with voting you can get to success in both cases. But otherwise having the multiple CA check does not provide much of a benefit. Three CA certs does not look likely to be a compelling business case when dealing with commercial risk. Which is a real shame from my standpoint. I am more than happy to tell my CEO that we need to triple demand for certs. But I don't think I can sell that to customers. On Thu, Dec 8, 2011 at 6:25 PM, Erwann Abalea <[email protected]> wrote: > > Le 9 déc. 2011 00:16, "Adam Langley" <[email protected]> a écrit : > > > > > On Thu, Dec 8, 2011 at 6:10 PM, Erwann Abalea <[email protected]> wrote: > > > 2 certificates, one with an RSA key, the other with a DSA key. This is > > > supported both by the protocol (SSL3 at least), and by Apache. The 2 > > > certificates can of course be delivered by different CAs. I haven't > tested > > > the browsers' behavior, it may be a good thing to do ;) > > > > That certainly works, but the server selects only one certificate > > chain to serve based on the selected cipher suite. Since the client's > > advertised cipher suites are basically fixed, a given client will > > always get the same chain, so I don't believe that this achieves the > > CA redundancy that Daniel was looking for. > > True. That was a stupid idea, I just noticed this while reading RFC2246. > This would require the client to send 2 different ciphersuites with the > hope that 2 different certificates would show. With ECDSA, you can extend > this stupid behavior to 3 different stuff. > > -- > Erwann. > -- Website: http://hallambaker.com/
