2011/8/2 Howard Chu <hyc(a)symas.com>:
Erwann ABALEA wrote:
> 2011/8/1 Howard Chu<hyc(a)symas.com>:
>> David Hawes wrote:
>> Think about why you would configure such a setup, and what it actually
>> means. When you have a certificate of your own, signed by a particular
>> that obviously means that you must trust that CA. If you're going to
>> a cert from another party that is signed by a different CA that obviously
>> means that you must also trust the other CA. There is absolutely nothing
>> gained from isolating these two CAs, on either side of the session.
> You've never been into such a situation. That doesn't mean such an
> isolation is irrelevant.
Go and read the X.509 spec. Go and read the TLS RFC (2246). You're spouting
I read it really often, as I'm involved in X.509 PKI since 1998,
working for a large PKI operator, starting by being an SET CA operator
for 8 banks and 3 brands. We host dozens of CAs on our facility; we
deploy new ones everywhere in the world, auditing people, writing
CP/CPS; we produced tens of millions of certificates; we produce
millions of OCSP replies every day, and a lot of other services around
I know X.509, and I know RFC2246/4346/5246, among others.
Go tell Apache, Sun, Mozilla, Opera, Microsoft, and a bunch of other
vendors that isolation of CAs is irrelevant, and come here after.