On Sat, 6 Oct 2001, Dr S N Henson wrote: > I've been meaning to look through the pkix CRL stuff to see how this lot > works in practice. The last time I looked I wasn't sure what (if > anything) restricted the CRL signing certificates path when compared to > the CA certificate.
I'm not quite sure either, to be honest, which is why I don't like the separate certificates approach. On the other hand, I'm told that the financial institutions, for whatever reason, *like* having separate certs (presumably so that different people can be given access to different private keys). > For example if you trust two root CAs A and B you > don't want B to be able to sign CRLs for A without some authorisation > from A (e.g. a CRL signing certificate chaining to A). In my particular case, we have Root CA certificates that have the same identification (i.e. "cn=Harald's Bait Shop and CA"), but different keys and different keyUsage fields, a slightly simpler case I think. I'm told that this is a "standard feature" of one of the popular PKI products out there. I too will have to think about this some more, I guess. :-) -- Harald Koch <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
