You'd also need to identify that second CA. Verifying that internal
(second) signature would be tricky since you'd have to remove the
extension (tweak the DER length fields, etc) before hashing. And then
there's all the complexity of checking for revocation from the second CA.
(Which, frankly, probably wouldn't happen given how little revocation
checking is done on the "real" CA. :) For example, wouldn't you have to
keep the serial numbers in sync? And validity periods?
A simpler approach seems to be for concerned applications to require the
client to provide certificates from both CA's.
/r$
--
SOA Appliances
Application Integration Middleware
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
