> My interpretation of this is that it does not come under the "CA
> designated responder case" because the reponder certificate is signed by
> the root CA and not the CA that issued the end user certificate which
> would be the intermediate CA.
> 
> However I suppose I should ask this on the PKIX list to be sure.

My interpretation is the same as yours.  The AIA can only appear in the
end-entity cert, which means it can only come from the CA that actually
signed that cert.

One *could* argue that the signed-by-higher-CA case is an example of trusted
responder.  It even makes some sense, since the root can just revoke the
entire intermediate CA in one feel swoop. (Note, I said *some* sense.)
        /r$
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to