On Fri, Mar 29, 2002 at 10:46:49AM +0530, Chandu wrote:
> Hi,
> Thank you very much for the response.
>
> I accept with you. In the case of an OCSP Responder, this is possible.
>
> But can we imagine of a case where the end-entity(ie., a user) gets two
> certificates from two different CA's for the same Public Key??
>
> I would like to know what uses it may have....
I cannot tell you what it would be useful for. But anyway, if you apply
for several certificates from different CAs with the same request
(containing the same public key matching your private key), you would
receive several certificates for the same public key.
This should be no problem for OpenSSL, but from my own experience it seems,
that at least Netscape manages its user certificates by private key
(or public key, which doesn't matter as the effect would to be the same):
it cannot distinguish correctly between items. When playing around with
certificates and home-made CAs for the first time long time ago,
importing and exporting PKCS12 etc, I have seen a lot of strange
effects, like certificates that were not listed and thus could not
be removed, but a new import failed because it already was there etc...
I would thus recommed to keep a clear structure and use one private key
(and thus one public key) for exactly one purpose and only use it with
one certificate...
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
