[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL server certificate that has an intermediary certificate in the chain

To: Howard Chu <hyc@symas.com>
Subject: Re: SSL server certificate that has an intermediary certificate in the chain
From: Erwann ABALEA <eabalea@gmail.com>
Date: Tue, 2 Aug 2011 12:41:50 +0200
Cc: David Hawes <dhawes@vt.edu>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Hwl1zFiTcqmSTu1NSYPmkZ4MTS3PrNzcP09swJGdXK8=; b=PqSs1yqrqFow7tFotM6qWK8sf0Z/zfvxNJ0E/rLYdURN8Cgb0iku+CJP13HXwUzoeB XorxtoC4k6o57dCFLrFfRj1eE9nhFKmAy9TJw5E+L+wJ9ZH2xdrsuKiIDqlaeUGhl23N +kc38zL2vEdVYKB4x0b1TZIBPm6agvm5QSh1A=
In-reply-to: <4E37C7BB.60309@symas.com>
References: <4E330129.4030004@uvm.edu> <alpine.BSO.2.00.1107291208340.11176@morgaine.smi.sendmail.com> <4E334C30.7030004@uvm.edu> <4E33500F.1080006@symas.com> <CA+i=0E6QLNqU4a6mumFm_FtVkwT=AsL6P5RzURVjLVBtUqgsxA@mail.gmail.com> <4E344A05.1050104@symas.com> <4E36D52B.2020208@vt.edu> <4E36DD56.40007@symas.com> <CA+i=0E4oRHqMm0UxBa3z-PeBZiYqF4VknrtrJYe9WXui2wkUDg@mail.gmail.com> <4E37C7BB.60309@symas.com>

2011/8/2 Howard Chu <hyc@symas.com>:
> Erwann ABALEA wrote:
>>
>> 2011/8/1 Howard Chu<hyc@symas.com>:
>>>
>>> David Hawes wrote:
>>
>> [...]
>>>
>>> Think about why you would configure such a setup, and what it actually
>>> means. When you have a certificate of your own, signed by a particular
>>> CA,
>>> that obviously means that you must trust that CA. If you're going to
>>> accept
>>> a cert from another party that is signed by a different CA that obviously
>>> means that you must also trust the other CA. There is absolutely nothing
>>> gained from isolating these two CAs, on either side of the session.
>>
>> You've never been into such a situation. That doesn't mean such an
>> isolation is irrelevant.
>
> Go and read the X.509 spec. Go and read the TLS RFC (2246). You're spouting
> nonsense.

I read it really often, as I'm involved in X.509 PKI since 1998,
working for a large PKI operator, starting by being an SET CA operator
for 8 banks and 3 brands. We host dozens of CAs on our facility; we
deploy new ones everywhere in the world, auditing people, writing
CP/CPS; we produced tens of millions of certificates; we produce
millions of OCSP replies every day, and a lot of other services around
PKI.
I know X.509, and I know RFC2246/4346/5246, among others.
Go tell Apache, Sun, Mozilla, Opera, Microsoft, and a bunch of other
vendors that isolation of CAs is irrelevant, and come here after.

-- 
Erwann.

References:
- Re: SSL server certificate that has an intermediary certificate in the chain
  - From: David Hawes <dhawes@vt.edu>
- Re: SSL server certificate that has an intermediary certificate in the chain
  - From: Howard Chu <hyc@symas.com>
- Re: SSL server certificate that has an intermediary certificate in the chain
  - From: Erwann ABALEA <eabalea@gmail.com>
- Re: SSL server certificate that has an intermediary certificate in the chain
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: SSL server certificate that has an intermediary certificate in the chain
Next by Date: Re: openldap 2.4.15 with error
Index(es):
- Chronological
- Thread