Bug#514807: statistics about V1 CA Certs / general assumptions about the state of the network

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Mar 23 14:25:25 UTC 2009

On 03/23/2009 08:24 AM, Simon Josefsson wrote:
> Check RFC 5280: the TBSCertificate structure contains the version, and
> the structure is signed, so to change a V1 cert to V3 cert you'd have to
> re-sign it.  That's possible of course, but you'll need the private key.
> And in that case, you'd might as well generate a new V3 certificate
> rather than converting information from an old one.

OK, that makes sense.  But the holder of the secret key corresponding to
a V1 certificate could very well create a matching V3 certificate...

> I'm not sure what I meant above though: if the public key is the same,
> certs signed by the V1 cert may correctly chain back to the V3 cert.

This is the interesting bit, i think.  If we could sort this out, test
it, and document how it, then we could provide a series of steps for CAs
to follow if they wanted to bring their root certificates into the
modern era.  (of course, convincing these particular CAs to transform
their root certificates is another story!)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20090323/42555dec/attachment.pgp 

More information about the Pkg-gnutls-maint mailing list