[SSL Observatory] Number of CAs

Erwann Abalea eabalea at gmail.com
Thu Dec 8 15:10:50 PST 2011


Bonsoir,

Le 8 déc. 2011 23:34, "Adam Langley" <agl at google.com> a écrit :
>
> On Thu, Dec 8, 2011 at 5:17 PM, Daniel Kahn Gillmor
> <dkg at fifthhorseman.net> wrote:
> > This makes sense to me, but sending two separate intermediate certs
> > seems to violate the TLS spec:
>
> The TLS spec is mostly guidelines at this point. For this and other
> examples, see http://www.imperialviolet.org/2011/02/04/oppractices.html

Most crypto toolkits ignore the order of the certificates.

> > So the administrator of example.com is still left with the necessity of
> > getting a certificate from exactly one CA.
>
> That is correct. I don't know any way around that at present.

2 certificates, one with an RSA key, the other with a DSA key. This is
supported both by the protocol (SSL3 at least), and by Apache. The 2
certificates can of course be delivered by different CAs. I haven't tested
the browsers' behavior, it may be a good thing to do ;)

-- 
Erwann.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111209/9cd71289/attachment.html>


More information about the Observatory mailing list