Hi, On 08/01/2012 12:12 AM, Ben Laurie wrote: > Many CAs were dismayed by the time it took to issue a "log proof". It > was also quite a bad name. > > So, in v2 we reduce issuance time to (effectively) zero. > > As always, comments please.
Maybe I'm missing something, or I don't understand your footnote 1 correctly. But: you state that you create a SCH over the end-host cert and the need for also hashing and signing the intermediate certs arises because you want to avoid a CA having the same cert re-issued with a different intermediate CA (that has the original intermediate CA's private key). Are you assuming then that, if a CA tried this, the DN in the issuer field of the end-host cert would be set to the same value again? E.g., empty or some standard value and the only SKID/AKID used in verification? Otherwise, if you insert an intermediate CA that has a different DN (and maybe key identifier), you'd get a different DER/PEM and a different hash already. Or maybe I'm confused. :) Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
