On Mon, Jan 31, 2011 at 9:50 PM, Nick Mathewson <ni...@freehaven.net> wrote: [...] > To authenticate the server, the client MUST check the following: > * The CERTS cell contains exactly one CertType 1 "Link" certificate. > * The CERTS cell contains exactly one CertType 2 "ID" > certificate. > * Both certificates have validAfter and validUntil dates that > are not expired. > * The certified key in the Link certificate matches the > link key that was used to negotiate the TLS connection. > * The certified key in the ID certificate is a 1024-bit RSA key. > * The certified key in the ID certificate was used to sign both > certificates. > * The link certificate is correctly signed with the key in the > ID certificate > * The ID certificate is correctly self-signed.
Robert Ransom responded to an earlier draft of this proposal, suggesting that instead of being self-signed, the ID certificate should be cross-certified by the link key. He said: > > Yes. I'm not exactly sure why I'm suggesting it. > > > > When an OpenPGP public key has a subkey which can be used to generate > > signatures, GPG requires that that subkey sign the main public key, in > > addition to requiring that the main public key sign the subkey. The > > GPG man page states that this prevents some attacks. I don't know > > whether the cross-certification I'm asking for above prevents any > > attacks we care about. [Posted here with permission] yrs, -- Nick
