Hi list
I have a question of more general nature.
If you have 2 RootCA that cross-certify each other, how and where does a user1 from CA1 find the certificates to verify a mail signed by a user2 from CA2.
Normally the certificate chain is included in the mail. So in this case I would find the user2 certificate, may be some ICA certificates and the RootCA certificate of CA2 in the mail but what I need is not the selfsigned certificate of CA2 but the certificate for CA2 signed by CA1 to allow my user1 to verify the signature (because he only trusts CA1). But how can I tell user1 to not use the selfsigned cert and how do I tell him where to find this cross-cert?
Microsoft does have a cert-field named AIA (authority information access) but I do not how this exactly works and I do not know if openCA provides something similar.?
What is the best way to deploy such a PKi infrastructure containing cross-certifications? (is it easier to import the cross-certificates as intemediate trusted CAs into IE store?)
Thanx for any ideas and suggestions
Pierre
_________________________
Pierre Scholtes
Unicible
tel: +41 (0)21 644 6111
fax: +41 (0)21 644 6300
mailto:[EMAIL PROTECTED]
http://www.unicible.ch
