[SSL Observatory] Number of CAs
Erwann Abalea
eabalea at gmail.com
Thu Dec 8 15:25:24 PST 2011
Le 9 déc. 2011 00:16, "Adam Langley" <agl at google.com> a écrit :
>
> On Thu, Dec 8, 2011 at 6:10 PM, Erwann Abalea <eabalea at gmail.com> wrote:
> > 2 certificates, one with an RSA key, the other with a DSA key. This is
> > supported both by the protocol (SSL3 at least), and by Apache. The 2
> > certificates can of course be delivered by different CAs. I haven't
tested
> > the browsers' behavior, it may be a good thing to do ;)
>
> That certainly works, but the server selects only one certificate
> chain to serve based on the selected cipher suite. Since the client's
> advertised cipher suites are basically fixed, a given client will
> always get the same chain, so I don't believe that this achieves the
> CA redundancy that Daniel was looking for.
True. That was a stupid idea, I just noticed this while reading RFC2246.
This would require the client to send 2 different ciphersuites with the
hope that 2 different certificates would show. With ECDSA, you can extend
this stupid behavior to 3 different stuff.
--
Erwann.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111209/c6bdd6ff/attachment.html>
More information about the Observatory
mailing list