Ian G wrote:
Not strictly speaking, since certificates per se can't issue other certificates. There's some unavoidable ambiguity here between using the term "CA" to refer to the "technical means" (private key, etc.) by which certificates are issued and using the term "CA" to refer to the organization employing those means. I'd happily accept suggestions on how to clarify this distinction.
On that specific point, I didn't know that certificates can't sign.
Indeed they cannot. signatures are made with PRIVATE keys. Certs contain Public keys.
Public key certificates are used only to VERIFY the signatures created with the private keys. A CA may have many certificates that all share a common public key, and consequently certs that are issued by that CA may be verifiable with more then one of the CA's certs. (This occurs in the case of a "bridge CA" for example.)
I did some quick searching and wasn't able to turn up anything that confirmed that and/or gave an alternate wording. Anyone else know any better wording?
I guess I would change the phrase "that CAs use different root CAs " to something like "CAs use separate root certs eith separate public keys..." (The use of separate Private keys is implied by the specification of separate public keys, since the keys come in pairs.)
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
