[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL server certificate that has an intermediary certificate in the chain

To: Erwann ABALEA <eabalea@gmail.com>
Subject: Re: SSL server certificate that has an intermediary certificate in the chain
From: Howard Chu <hyc@symas.com>
Date: Tue, 02 Aug 2011 02:47:39 -0700
Cc: David Hawes <dhawes@vt.edu>, openldap-technical@openldap.org
In-reply-to: <CA+i=0E4oRHqMm0UxBa3z-PeBZiYqF4VknrtrJYe9WXui2wkUDg@mail.gmail.com>
References: <4E330129.4030004@uvm.edu> <alpine.BSO.2.00.1107291208340.11176@morgaine.smi.sendmail.com> <4E334C30.7030004@uvm.edu> <4E33500F.1080006@symas.com> <CA+i=0E6QLNqU4a6mumFm_FtVkwT=AsL6P5RzURVjLVBtUqgsxA@mail.gmail.com> <4E344A05.1050104@symas.com> <4E36D52B.2020208@vt.edu> <4E36DD56.40007@symas.com> <CA+i=0E4oRHqMm0UxBa3z-PeBZiYqF4VknrtrJYe9WXui2wkUDg@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko/20110612 Firefox/7.0a1 SeaMonkey/2.4a1

Erwann ABALEA wrote:

2011/8/1 Howard Chu<hyc@symas.com>:

David Hawes wrote:

[...]

Think about why you would configure such a setup, and what it actually
means. When you have a certificate of your own, signed by a particular CA,
that obviously means that you must trust that CA. If you're going to accept
a cert from another party that is signed by a different CA that obviously
means that you must also trust the other CA. There is absolutely nothing
gained from isolating these two CAs, on either side of the session.


You've never been into such a situation. That doesn't mean such an
isolation is irrelevant.

Go and read the X.509 spec. Go and read the TLS RFC (2246). You're spoutingnonsense.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: SSL server certificate that has an intermediary certificate in the chain
  - From: Erwann ABALEA <eabalea@gmail.com>

References:
- Re: SSL server certificate that has an intermediary certificate in the chain
  - From: David Hawes <dhawes@vt.edu>
- Re: SSL server certificate that has an intermediary certificate in the chain
  - From: Howard Chu <hyc@symas.com>
- Re: SSL server certificate that has an intermediary certificate in the chain
  - From: Erwann ABALEA <eabalea@gmail.com>

Prev by Date: Re: SSL server certificate that has an intermediary certificate in the chain
Next by Date: Ldap issue
Index(es):
- Chronological
- Thread