[cabfpub] BR Issue 7

Erwann Abalea erwann.abalea at keynectis.com
Wed Nov 7 18:50:55 UTC 2012

Le 07/11/2012 09:14, Rob Stradling a écrit :
> On 06/11/12 19:20, Ryan Hurst wrote:
>> There is even value in the root issued intermediates as there are often
>> updated versions of roots published, inclusion of the pointer in root issued
>> intermediates makes it possible for the most recent version of the
>> certificate to always be discoverable.
> That's true, Ryan, but I don't see why it's needed.

Debugging only.

> Making a more recent "version" of a Root Certificate discoverable does
> not mean that it magically becomes trusted by clients.  Clients will
> only trust the new "version" once it has been added to their Trusted
> Root Certificate list - an event which negates any need for discovery.
> (You can't add a Root Certificate to a trust list if you haven't
> discovered it yet!)

In fact, you can. It has been done in the past, with SET.
The root certificate had an extension containing the hash of the public 
key that will be used the year after.
Every certificate was renewed every year, even the root.

That said, I don't really approve the change to a MUST.

More information about the Public mailing list