On 1 August 2012 16:00, Ralph Holz <[email protected]> wrote: > Hi, > > On 08/01/2012 12:12 AM, Ben Laurie wrote: >> Many CAs were dismayed by the time it took to issue a "log proof". It >> was also quite a bad name. >> >> So, in v2 we reduce issuance time to (effectively) zero. >> >> As always, comments please. > > Maybe I'm missing something, or I don't understand your footnote 1 > correctly. > > But: you state that you create a SCH over the end-host cert and the need > for also hashing and signing the intermediate certs arises because you > want to avoid a CA having the same cert re-issued with a different > intermediate CA (that has the original intermediate CA's private key). > > Are you assuming then that, if a CA tried this, the DN in the issuer > field of the end-host cert would be set to the same value again?
Of course. > E.g., > empty or some standard value and the only SKID/AKID used in > verification? Otherwise, if you insert an intermediate CA that has a > different DN (and maybe key identifier), you'd get a different DER/PEM > and a different hash already. > > Or maybe I'm confused. :) > > Ralph > > -- > Ralph Holz > Network Architectures and Services > Technische Universität München > http://www.net.in.tum.de/de/mitarbeiter/holz/ > PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF > _______________________________________________ > therightkey mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/therightkey _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
