2011/8/2 Howard Chu hyc@symas.com:
Erwann ABALEA wrote:
2011/8/1 Howard Chuhyc@symas.com:
David Hawes wrote:
[...]
Think about why you would configure such a setup, and what it actually means. When you have a certificate of your own, signed by a particular CA, that obviously means that you must trust that CA. If you're going to accept a cert from another party that is signed by a different CA that obviously means that you must also trust the other CA. There is absolutely nothing gained from isolating these two CAs, on either side of the session.
You've never been into such a situation. That doesn't mean such an isolation is irrelevant.
Go and read the X.509 spec. Go and read the TLS RFC (2246). You're spouting nonsense.
I read it really often, as I'm involved in X.509 PKI since 1998, working for a large PKI operator, starting by being an SET CA operator for 8 banks and 3 brands. We host dozens of CAs on our facility; we deploy new ones everywhere in the world, auditing people, writing CP/CPS; we produced tens of millions of certificates; we produce millions of OCSP replies every day, and a lot of other services around PKI. I know X.509, and I know RFC2246/4346/5246, among others. Go tell Apache, Sun, Mozilla, Opera, Microsoft, and a bunch of other vendors that isolation of CAs is irrelevant, and come here after.