Erwann ABALEA wrote:
2011/8/1 Howard Chu<hyc(a)symas.com>:
> David Hawes wrote:
> Think about why you would configure such a setup, and what it actually
> means. When you have a certificate of your own, signed by a particular CA,
> that obviously means that you must trust that CA. If you're going to accept
> a cert from another party that is signed by a different CA that obviously
> means that you must also trust the other CA. There is absolutely nothing
> gained from isolating these two CAs, on either side of the session.
You've never been into such a situation. That doesn't mean such an
isolation is irrelevant.
Go and read the X.509 spec. Go and read the TLS RFC (2246). You're spouting
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/