2011/8/2 Howard Chu <[email protected]>: > Erwann ABALEA wrote: >> >> 2011/8/1 Howard Chu<[email protected]>: >>> >>> David Hawes wrote: >> >> [...] >>> >>> Think about why you would configure such a setup, and what it actually >>> means. When you have a certificate of your own, signed by a particular >>> CA, >>> that obviously means that you must trust that CA. If you're going to >>> accept >>> a cert from another party that is signed by a different CA that obviously >>> means that you must also trust the other CA. There is absolutely nothing >>> gained from isolating these two CAs, on either side of the session. >> >> You've never been into such a situation. That doesn't mean such an >> isolation is irrelevant. > > Go and read the X.509 spec. Go and read the TLS RFC (2246). You're spouting > nonsense.
I read it really often, as I'm involved in X.509 PKI since 1998, working for a large PKI operator, starting by being an SET CA operator for 8 banks and 3 brands. We host dozens of CAs on our facility; we deploy new ones everywhere in the world, auditing people, writing CP/CPS; we produced tens of millions of certificates; we produce millions of OCSP replies every day, and a lot of other services around PKI. I know X.509, and I know RFC2246/4346/5246, among others. Go tell Apache, Sun, Mozilla, Opera, Microsoft, and a bunch of other vendors that isolation of CAs is irrelevant, and come here after. -- Erwann.
