Le 9 déc. 2011 00:16, "Adam Langley" <[email protected]> a écrit : > > On Thu, Dec 8, 2011 at 6:10 PM, Erwann Abalea <[email protected]> wrote: > > 2 certificates, one with an RSA key, the other with a DSA key. This is > > supported both by the protocol (SSL3 at least), and by Apache. The 2 > > certificates can of course be delivered by different CAs. I haven't tested > > the browsers' behavior, it may be a good thing to do ;) > > That certainly works, but the server selects only one certificate > chain to serve based on the selected cipher suite. Since the client's > advertised cipher suites are basically fixed, a given client will > always get the same chain, so I don't believe that this achieves the > CA redundancy that Daniel was looking for.
True. That was a stupid idea, I just noticed this while reading RFC2246. This would require the client to send 2 different ciphersuites with the hope that 2 different certificates would show. With ECDSA, you can extend this stupid behavior to 3 different stuff. -- Erwann.
