Bonjour,
Hodie III Kal. Sep. MMXI, Jakob Bohm scripsit:
[...]
> 1) The CA has changed/improved the attributes, e.g. by extending the
> expiry date or adding a CRL
> location for detecting future root cert revocation (a good
> precaution for CA's to take, coupled with
> a pre-generated key compromise CRL stored somewhere off-site but secure).
The relying party won't automatically update its trust store when
receiving such a certificate, even if the key is reused. So it won't
trust this new certificate, and won't use it to build a valid
certification path. But you can of course manually grab it for this:
> 2) My browser lacks the CA cert, in which case having it at hand
> eliminates one of the two steps
> in securely adding it (the other step is to compare the cert hash
> ("fingerprint") with a known published
> value).
Is that really useful? Always sending a useless certificate in case
someone would need it and use "openssl s_client -connect ...
-showcerts" to update its database, instead of providing a link to
this certificate somewhere?
--
Erwann ABALEA <erwann.aba...@keynectis.com>
Département R&D
KEYNECTIS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
