On 2 August 2012 09:48, Ralph Holz <[email protected]> wrote: > Hi, > >>> But: you state that you create a SCH over the end-host cert and the need >>> for also hashing and signing the intermediate certs arises because you >>> want to avoid a CA having the same cert re-issued with a different >>> intermediate CA (that has the original intermediate CA's private key). >>> >>> Are you assuming then that, if a CA tried this, the DN in the issuer >>> field of the end-host cert would be set to the same value again? >> >> Of course. > > OK, I think I understand. So that would (very likely) be a legitimate > change, i.e. CA changes notbefore/notafter but re-issues cert in same > way.
This change would require a new entry anyway. > With AKID the same, the end-host cert would not need to be > re-issued, but you still want the proof of exactly that one > certification with that one intermediate cert. > > Ralph-- > Ralph Holz > Network Architectures and Services > Technische Universität München > http://www.net.in.tum.de/de/mitarbeiter/holz/ > PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF > > > _______________________________________________ > therightkey mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/therightkey > _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
