Bonsoir, Le 8 déc. 2011 23:34, "Adam Langley" <[email protected]> a écrit : > > On Thu, Dec 8, 2011 at 5:17 PM, Daniel Kahn Gillmor > <[email protected]> wrote: > > This makes sense to me, but sending two separate intermediate certs > > seems to violate the TLS spec: > > The TLS spec is mostly guidelines at this point. For this and other > examples, see http://www.imperialviolet.org/2011/02/04/oppractices.html
Most crypto toolkits ignore the order of the certificates. > > So the administrator of example.com is still left with the necessity of > > getting a certificate from exactly one CA. > > That is correct. I don't know any way around that at present. 2 certificates, one with an RSA key, the other with a DSA key. This is supported both by the protocol (SSL3 at least), and by Apache. The 2 certificates can of course be delivered by different CAs. I haven't tested the browsers' behavior, it may be a good thing to do ;) -- Erwann.
