Richard Levitte - VMS Whacker wrote:
>
> From: Dr S N Henson <[EMAIL PROTECTED]>
>
> drh> At first sight handling delegated signing with multiple CAs is not
> drh> permissible. Well maybe it is but if someone does that I'd rather not to
> drh> try to code delegated verify for that case :-(
>
> One vey clear way to do that is to use one private key for a number of
> delegate certificates. Security people will scream at such an idea,
> but it will work...
>
> I'm assuming someone already came up with that idea, or I'll be
> etternaly (sp?) regretful for feading it to the world...
>
I haven't seen it in use yet but that's certainly one way if you use the
keyid choice for the responder ID or if you give all certificates the
same subject name.
I suspect OCSP client verify routines will choke if you do that since
they may (OpenSSL current code does) only look for the first certificate
which matches the reponder ID.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
