[78926] in cryptography@c2.net mail archive
Re: OT: SSL certificate chain problems
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Mon Feb 5 16:45:01 2007
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@metzdowd.com, Victor.Duchovni@MorganStanley.com
In-Reply-To: <20070131013437.GN6149@piias899.ms.com>
Date: Mon, 05 Feb 2007 21:59:35 +1300
Victor Duchovni <Victor.Duchovni@MorganStanley.com> writes:
>On Wed, Jan 31, 2007 at 01:57:04PM +1300, Peter Gutmann wrote:
>> You use the key in the old root to validate the self-signature in the new
>> root. Since they're the same key, you know that the new root supersedes the
>> expired one.
>
>So this is a special trick to extend root CA lifetimes. How widely is this
>logic implemented, and is extending root CA key lifetime in this manner
>standard practice?
Like a lot of PKI, it's total pot-luck ("crapshoot" in the US I guess) as to
what a particular implementation does when it encounters this situation. It
may work, it may not work, it may work under some circumstances, or it may do
anything in between.
(I've seen some implementations that require a "system rebuild" (meaning
reinstall all your PKI software with the new roots) to roll over roots, all
the way through to ones that handle the situation automatically. There really
is no way to tell what a particular implemenation will do, apart from trying
it out and seeing what happens).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
