Anders Rundgren wrote:
[...]. That Root is actually signed by the
same key and having the same issuer as Sub does not put it in the same level
as Sub since Root is selfsigned.
I think you should rethink about the meaning of *self*-signed.
The issuer of Root *is* Root, so Root and Sub *do* share the same
issuer, and they are at the same level.
An interesting variation of that is hierarchies that use separate
certificates to sign crl and to sign certificates (I'm not talking about
indirect crl, here both certificates have the same DN and therefore in
X509/RFC3280 belong to the same CA entity. Several crypto API do not
support that, because they incorrectly requires that crl be signed by
the same key as the certificates).
At the Sub level, there will be two certs Sub-cert and Sub-Crl, both
signed by Root-crt.
At the Root level, there will also be two certs Root-cert and Root-Crl.
Root-cert is self-signed, signed by Root-cert, and Root-Crl is also
signed by Root-cert.
Still Root-crl is *not* one level below Root-cert and it does validly
emits the crl for Root-cert.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
