[78697] in cryptography@c2.net mail archive


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: OT: SSL certificate chain problems

daemon@ATHENA.MIT.EDU (Peter Gutmann)
Sat Feb 3 10:52:02 2007

From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@metzdowd.com, Victor.Duchovni@MorganStanley.com
In-Reply-To: <20070128180009.GA6149@piias899.ms.com>
Date: Wed, 31 Jan 2007 13:57:04 +1300

Victor Duchovni <Victor.Duchovni@MorganStanley.com> writes:

>What I don't understand is how the old (finally expired) root helps to
>validate the new unexpired root, when a verifier has the old root and the
>server presents the new root in its trust chain.

You use the key in the old root to validate the self-signature in the new
root.  Since they're the same key, you know that the new root supersedes the
expired one.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[78697] in cryptography@c2.net mail archive

Re: OT: SSL certificate chain problems

daemon@ATHENA.MIT.EDU (Peter Gutmann)Sat Feb 3 10:52:02 2007

daemon@ATHENA.MIT.EDU (Peter Gutmann)
Sat Feb 3 10:52:02 2007