On Thu, Dec 8, 2011 at 5:17 PM, Daniel Kahn Gillmor <[email protected]> wrote: > This makes sense to me, but sending two separate intermediate certs > seems to violate the TLS spec:
The TLS spec is mostly guidelines at this point. For this and other examples, see http://www.imperialviolet.org/2011/02/04/oppractices.html > So the administrator of example.com is still left with the necessity of > getting a certificate from exactly one CA. That is correct. I don't know any way around that at present. It would be possible to change this in a backward compatible fashion, although at the cost of seriously bloating the server's handshake. Such a change, however, would not be significant unless a large number of sites adopted it. Otherwise revoking a major CA would still be extremely costly for a browser. Cheers AGL
