On Wednesday, June 27, 2001 8:04 AM, G�khan AFACAN wrote: > 1. Why are there exactly six root certificates and two BCA Certificate > and two MCA certificates? I would have to see all of the certificates to be sure, but my best guess is that the six root certificates are the entire history of root certificates (back to the original root) and that the BCA and MCA certificates correspond to other certificates included in the distribution. > 2. If the 6 root certificates make up the history of Root Certificates > (i.e. as specified in Root Key Distribution and authentication part of > Set Book 2- root keys are generated and distributed in a scheduled > manner), should I have to chain back all the root certificates until I > reach the Initial root certificate? Yes. > 3. Last question: What is the methodology of constructing a typical SET > Certificate Chain? > According to the above situation, certificates are listed in a > Certificates[] data structure. > What is the exact relationship (attribute name) I should search for, > between these > certificates to construct a chain? Which corresponds to others' issuer's > Public Key Certificate > and vice versa? I think there are more than one certificate chains in the > message that I received. The certificate corresponding to the signature key of the message is indicated in the SignerInfo of SignedData. Once you find that certificate, it will indicate its parent (issuer) and grandparent (authorityKeyIdentifer extension). Root certificates chain forward from the original root using the hashedRootKey extension. You can easily order the root certificates to assist in this chaining by sorting on the validity dates. _________________________________________________________________ Tony Lewis ([EMAIL PROTECTED]) Chief Systems Architect, Internet Commerce Visa International Service Association
