Actually, it might be as easy as changing the "name" of the root and issuing a new L1 certificate. The branch happens when an unmodified client (which still has the local root installed) needs to decide who has signed the L1 certificate. Its two choices are
1. the local root
2. the "missing link" that the server gave it, which has the same "name" (e.g., Subject Key Identifier, which is a hash of the Subject DN information)
If you subtly change the Subject DN of the root (which in the new scheme of things becomes a first level down from the Identrus root), and then reinstall a L1 certificate in the server that has the "new" Issuer ID but the "old" Subject ID, then the end user certificate does not need to be redone (since its hash is based on the L1 "name" which was not modified), and when the verifying software is looking for the issuer of the L1 certificate, this hash HAS been modified, so the "old" root is no longer in contention...
I'll do some gedanken-thinking about this...
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]