In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Per Hedeland) wrote:
> But there is obviously no way to establish that the claimed > counter-signatory isn't totally faked by just looking at the certificate Just for clarification, I was assuming in that paragraph that the certificate chain was good, i.e. the browser had a copy of one of the certificates in the chain and it was marked good for the purpose for which it was used. The issue I was thinking of is that, for example, Verisign issue certificates under several different counter signatures. Some of those represent a very thorough check of identity documents, and some of them don't. Most people do not disable weaker ones in their browser. It may be the case that a user is happy with accepting one of the certifying authority's weaker checks for some purposes, but will only accept a strong check for others. As a result, there may, sometimes, be a need to find out exactly which, verified, counter signature was used. I think Per and I actually agree. _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
