nanog mailing list archives

Re: SSL Certificates

From: Leo Bicknell <bicknell () ufp org>
Date: Thu, 16 Feb 2012 08:21:08 -0800

In a message written on Thu, Feb 16, 2012 at 12:57:25AM -0600, Jimmy Hess wrote:

There is a risk that any CA issued SSL certificate signed by _any_ CA
may be worthless some time in the future, if the CA chosen is later
found to have issued  sufficient quantities fraudulent certificates,
and sufficiently failed in their duties.


One thing I'm not clear about is, are there any protocol or
implementation limitations that require only one CA?

I would think I could take my private key and get multiple CA's to
sign it, then present all of those signatures to the client.  Should
one CA be revoked, my certificate would still be signed by one or
more others.

Does this work?  Does anyone do it?

-- 
       Leo Bicknell - bicknell () ufp org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/

Attachment: _bin
Description:

Current thread:

Re: SSL Certificates Ask Bjørn Hansen (Feb 15)
- Re: SSL Certificates John Levine (Feb 15)
  - Re: SSL Certificates George Herbert (Feb 15)
    - Re: SSL Certificates Jimmy Hess (Feb 15)
    - Re: SSL Certificates John R. Levine (Feb 16)
    - Re: SSL Certificates Christopher Morrow (Feb 16)
    - Re: SSL Certificates John R. Levine (Feb 16)
    - Re: SSL Certificates Jeroen Massar (Feb 16)
    - Re: SSL Certificates startssl.com James Triplett (Feb 16)
    - Re: SSL Certificates Leo Bicknell (Feb 16)
    - Re: SSL Certificates John Levine (Feb 16)
    - Re: SSL Certificates George Herbert (Feb 16)
  - Re: SSL Certificates bmanning (Feb 15)