I am sorry if the questions (or some of them) were previously discussed in
the list.
My question is about the procedure of Certificate Chain Validation.
I am using a web based tool that generates and processes some certificate
management SET commands (url is http://freecerts.entrust.com/setcerts/ ).
I could successfully send the Me_AqCInitReq Command to my MCA.
I did not include any thumbs in Me_AqCInitReq command, since I haven't got
any yet.
In response to my message Me_AqCInitRes command included 10 SET certificates
(Six Root Certificates, two BCA Certificate and two MCA certificates.)
(
Please don't mind if imagination of this situation bothers you.
Just think a fresh SET application is talking to its Certificate Authority
in the year 2001.
)
Questions:
1. Why are there exactly six root certificates and two BCA Certificate and
two MCA certificates?
2. If the 6 root certificates make up the history of Root Certificates (i.e.
as specified
in Root Key Distribution and authentication part of Set Book 2- root keys
are
generated and distributed in a scheduled manner), should I have to chain
back
all the root certificates until I reach the Initial root certificate?
3. Last question: What is the methodology of constructing a typical SET
Certificate Chain?
According to the above situation, certificates are listed in a
Certificates[] data structure.
What is the exact relationship (attribute name) I should search for,
between these
certificates to construct a chain? Which corresponds to others' issuer's
Public Key Certificate
and vice versa? I think there are more than one certificate chains in the
message that I received.
Thanks. Sincerely.
