Security Basics mailing list archives

Re: Another basic PKI question

From: Jon Barber <jon.barber () microexpert com>
Date: Tue, 14 Oct 2003 17:23:25 +0100

Roger A. Grimes wrote:

First, thanks to everyone who responded to my last question regarding PKI.

(The answer to that one was that yes, both public and private keys can
encrypt and decrypt (with most popular PKI protocols); but who encrypts and
decrypts depends on whether you are signing or encrypting...but yes, the
private key can encrypt.  Thank you all.)

New question:  When I recieve a digital certificate, do I (or my browser)
have to trust every PKI CA in the tree of trust heading all the way back up
to the root CA, or just the closest CA to me in the chain of trust?  I'm
guessing it's the latter.

Well now you're into the fantastic world of X.509 certificates & relatednightmares. I'd recommend you read Peter Gutmann's X.509 Style Guide :http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt. What yourbrowser does depends on what the developers were thinking at the time.


I'd have a few stiff drinks to hand.

Regards,

Jon Barber.




---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Another basic PKI question Roger A. Grimes (Oct 14)
- Re: Another basic PKI question Jon Barber (Oct 14)
- RE: Another basic PKI question David Gillett (Oct 14)
- Re: Another basic PKI question Francisco Andrades (Oct 14)
  - RE: Another basic PKI question Ronald Kiss (Oct 15)
- <Possible follow-ups>
- RE: Another basic PKI question Hols, Albert (Oct 14)