[SSL Observatory] Number of CAs
Adam Langley
agl at google.com
Thu Dec 8 15:16:40 PST 2011
On Thu, Dec 8, 2011 at 6:10 PM, Erwann Abalea <eabalea at gmail.com> wrote:
> 2 certificates, one with an RSA key, the other with a DSA key. This is
> supported both by the protocol (SSL3 at least), and by Apache. The 2
> certificates can of course be delivered by different CAs. I haven't tested
> the browsers' behavior, it may be a good thing to do ;)
That certainly works, but the server selects only one certificate
chain to serve based on the selected cipher suite. Since the client's
advertised cipher suites are basically fixed, a given client will
always get the same chain, so I don't believe that this achieves the
CA redundancy that Daniel was looking for.
Cheers
AGL
More information about the Observatory
mailing list