Re: Certificats : chain

Fri, 04 Apr 2003 12:05:59 -0800 

How is it harder?  Why isn't it just a

cert = top_of_stack(stack);
while (! at_bottom_of_stack(stack))
{
check_revocation_staus(cert);
cert = cert->next;
}

It seems that checking 3 certs isn't any harder in terms
of effort required by software like apache than checking
2..  The burden is of course on the CAs to stay on top
of things, but I don't see how a CA not doing their
due diligence makes client software any less secure.

Do you mean it's "harder" in that sysadmins have to constantly
check with the CA and update their CRLs?   If so, then
I can see the value of the tunability but if I were an admin
I would want to trust the maximum # of folks I could,
securely.  Maybe that's just me.

If you say "don't trust any stack lengths > 2" then you'll
end up with more verification failures than if you did trust
longer chains, since some of the chains would be
successfully validated.

cj

----- Original Message ----- 
From: "Rich Salz" <[EMAIL PROTECTED]>
To: "Chris Jarshant" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, April 04, 2003 2:56 PM
Subject: Re: Certificats : chain


> > Ok let me rephrase my original question: Why would
> > someone trust a cert chain of length 3 less then they
> > would a cert chain of length 2?  I see software (like
> > apache) that have a tunable acceptable-cert-chain-length
> > parameter.  Why wouldn't you just trust any cert
> > chain length?
> 
> Because it's a great deal of work to properly check if intermediates on 
> the chain have been revoked or not.  So much work that it's rarely, if 
> ever, done.  Getting the CRL's (or finding the OCSP responder :) is 
> hard, keeping them current is harder, etc.
> /r$
> 
> 
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
> 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to