[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PKIX Profile for IKE - CA Certificates & IKE Identification Certificates
Maybe somewhat offtopic, but... here gose: I have a problem
understaning the certificate path. Say, peer sends
CA-0 -> CA-x -> CA-y -> CA-z(identity)
We trust CA-0, we have a path from CA-z to CA-0, but so what? Unless
we trust CA-y, CA-z and 'identify' could be anything at all.
CA-y could be any of the millions of entities that have a valid signed
certificate on rooting on CA-0.
To me it seems that the path is only usable, if we already trust all
intermediates. But then, what do we need the path for? [Just to find
the culprits after the damage has occurred?]
I must be missing some point...
--
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/
References: