[SSL Observatory] Number of CAs

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Dec 8 13:24:13 PST 2011


On 12/08/2011 04:01 PM, Phillip Hallam-Baker wrote:
> A given end entity cert can be val idated under multiple trust paths.

In a given TLS session, the server emits a list of certificates, from EE
up to the CA just below the root CA.

If by "multiple trust paths" you mean "a client might decide to trust
one of the intermediate CAs directly, thereby ignoring the last link or
two of the chain", then i agree with you, though it seems more like a
truncated trust path to me than "multiple trust paths"

if you mean something more diverse and corroborative (e.g. i could
verify example.com's certificate via either CA X or CA Y even though CA
X and CA Y are unrelated to each other), then i confess ignorance of the
mechanism.

Can explain how the existing X.509+TLS infrastructure allows a site
operator to publish true multiple trust paths (i.e. corroborative
certification) of an EE certificate?  I would be very excited to learn
this, because it would reduce one of the pressures on browser vendors to
retain unreliable CAs in their default root stores.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111208/20111412/attachment.sig>


More information about the Observatory mailing list