bicknell at ufp.org
Thu Feb 16 16:21:08 UTC 2012
In a message written on Thu, Feb 16, 2012 at 12:57:25AM -0600, Jimmy Hess wrote:
> There is a risk that any CA issued SSL certificate signed by _any_ CA
> may be worthless some time in the future, if the CA chosen is later
> found to have issued sufficient quantities fraudulent certificates,
> and sufficiently failed in their duties.
One thing I'm not clear about is, are there any protocol or
implementation limitations that require only one CA?
I would think I could take my private key and get multiple CA's to
sign it, then present all of those signatures to the client. Should
one CA be revoked, my certificate would still be signed by one or
Does this work? Does anyone do it?
Leo Bicknell - bicknell at ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 826 bytes
Desc: not available
More information about the NANOG