Reading the FIPS201-1 specification, I find no support for hosting any CA certificates associated with the user certificates.
This makes me wonder how you can use TLS-client-authentication if the relying party (server) only has the root and not immediate CA certificates at hand. Just to verify that these things can be a cause of trouble I removed an immediate CA certificate from my local trust store and I could not longer login using my TPM-hosted certificate. The solution seems to be that the relying party has access to all immediate CAs for the roots it trusts? This appears to be a bit impractical for "scheme" CAs supporting a lot of independent sub-ordinate CAs. Any comments? Anders _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
