Bug#514807: statistics about V1 CA Certs / general assumptions about the state of the network
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Mar 23 14:25:25 UTC 2009
On 03/23/2009 08:24 AM, Simon Josefsson wrote:
> Check RFC 5280: the TBSCertificate structure contains the version, and
> the structure is signed, so to change a V1 cert to V3 cert you'd have to
> re-sign it. That's possible of course, but you'll need the private key.
> And in that case, you'd might as well generate a new V3 certificate
> rather than converting information from an old one.
OK, that makes sense. But the holder of the secret key corresponding to
a V1 certificate could very well create a matching V3 certificate...
> I'm not sure what I meant above though: if the public key is the same,
> certs signed by the V1 cert may correctly chain back to the V3 cert.
This is the interesting bit, i think. If we could sort this out, test
it, and document how it, then we could provide a series of steps for CAs
to follow if they wanted to bring their root certificates into the
modern era. (of course, convincing these particular CAs to transform
their root certificates is another story!)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 890 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20090323/42555dec/attachment.pgp
More information about the Pkg-gnutls-maint