> My interpretation of this is that it does not come under the "CA
> designated responder case" because the reponder certificate is signed by
> the root CA and not the CA that issued the end user certificate which
> would be the intermediate CA.
>
> However I suppose I should ask this on the PKIX list to be sure.
My interpretation is the same as yours. The AIA can only appear in the
end-entity cert, which means it can only come from the CA that actually
signed that cert.
One *could* argue that the signed-by-higher-CA case is an example of trusted
responder. It even makes some sense, since the root can just revoke the
entire intermediate CA in one feel swoop. (Note, I said *some* sense.)
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]