[149847] in North American Network Operators' Group
Re: SSL Certificates
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Thu Feb 16 11:22:32 2012
Date: Thu, 16 Feb 2012 08:21:08 -0800
From: Leo Bicknell <bicknell@ufp.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <CAAAwwbWmiAgX5RB-1wTmJZNmkWU7wkHA6HA-THGZ3bYfRGsW6A@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Thu, Feb 16, 2012 at 12:57:25AM -0600, Jimmy Hess w=
rote:
> There is a risk that any CA issued SSL certificate signed by _any_ CA
> may be worthless some time in the future, if the CA chosen is later
> found to have issued sufficient quantities fraudulent certificates,
> and sufficiently failed in their duties.
One thing I'm not clear about is, are there any protocol or
implementation limitations that require only one CA?
I would think I could take my private key and get multiple CA's to
sign it, then present all of those signatures to the client. Should
one CA be revoked, my certificate would still be signed by one or
more others.
Does this work? Does anyone do it?
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--T4sUOijqQbZv57TR
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQIVAwUBTz0s9LN3O8aJIdTMAQLESg//ZTzErfUHyhgiTDZk6BBb8nOkU0raTbdX
wURNPL9IlpGnNSZtCB+PpVtuISgeqRhZm99+wW74Rk8Xx6z34fvgyPJjEiISc/7e
65i3abRSaoAhXMXwMn2QBYdi9/A0PG9IvV25VLMuvRIfqE8lO6U22t+eJhVl09Ff
jTzWKBpzd0DFhOQXmyXp/yeBH+U0laHtSU+lT2MyhvCVs0435B3atJhn1oVWSwi+
ItAoNI+ch5ZdYvgW6/kK3JXqXFKl/9uv3lWop5JZCgCkig7Gwsc9d+RVJPgqqtiP
KUCM73XxjleeDNroVytFVu76A1O8VQD402H/Li64LpQmvdRtHRz4VzcoFY6uBa+Q
g98MSG8LUxfGGOtqixJac/k/3EAZi1QKt4zS4ztNsPQglZTdE+73n1pSEzboGuAc
1lQpbsX7Civl9dAoKiQVgnUl5tzKZBtpjIKRKMhxbpqx02Gbxsjby8lsppNm0/W/
46FapkqXQNvBbh/WUnN0qvvuwiBpWeuVESqFtKrY+5d3KjvNtL2HnpGxktlJI1FV
2TUNaFKVQJc5rZLm1wPREvEnhv5205LmFfeMdPWiG8DOvNmrn/OtuPt8kfJZI85f
rLmXlZJpNtjJ7d2ib87cYmHWjOekhz98LmOHzrYwGoarux3EGjN0Wlo4CTD5IQdz
N6jD2KGtHqo=
=ddNW
-----END PGP SIGNATURE-----
--T4sUOijqQbZv57TR--
