Hi, >> But: you state that you create a SCH over the end-host cert and the need >> for also hashing and signing the intermediate certs arises because you >> want to avoid a CA having the same cert re-issued with a different >> intermediate CA (that has the original intermediate CA's private key). >> >> Are you assuming then that, if a CA tried this, the DN in the issuer >> field of the end-host cert would be set to the same value again? > > Of course.
OK, I think I understand. So that would (very likely) be a legitimate change, i.e. CA changes notbefore/notafter but re-issues cert in same way. With AKID the same, the end-host cert would not need to be re-issued, but you still want the proof of exactly that one certification with that one intermediate cert. Ralph-- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
signature.asc
Description: OpenPGP digital signature
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
