Daniel, Daniel Kluge wrote: > > IE stores not only the root certificates, but also all intermediate > certificates, hence it is successful in putting together the certificate > chain.
IE is only successful in putting together the full cert chain if it already has a copy of the intermediate CA cert stored in its cert database. This can only be done if you have previously visited another secure server that was correctly configured and sent the entire cert chain. This has the effect of hiding IE users the misconfiguration of the server visited the second time, which failed to send part of the cert chain, namely the intermediate CA. > And actually as far as the size of those go, a collection of root > certificates is much much bigger, than the one with the intermediate > certificates, so the bloat theory doesn't quite hold water. That simply isn't true, the potential for bloat is there. Each root CA can issue any number of intermediate CAs, which could issue more, and so forth. The potential growth of the PKI tree is exponential, depending on which sites you visit. It is true that the bloat doesn't exist today, because most CAs only use a few or no intermediate CA certs. However, that may not be the case tomorrow when PKI becomes more widely deployed. -- "Except for the lack of debugging and the ps thing, [Linux] kernel threads are generally fine right now. And if you're not too fussed about the more fiddly details of POSIX threads, and your application doesn't spend most of its time in thread creation, then LinuxThreads is great too." Linux-Kernel archive
