> A novice question. Pardon me if it is obvious. > What is the need for signing the X509 certificate. Suppose I have a single keypair, but multiple certificates for that pair. For example, I might have a cert that identifies me as an employee, for signing email, and I might have a cert that identifies me as an officer of the company, for signing official documents. Unless I sign the cert, I can swap the two roles, and the receiver cannot tell. Even worse, a "fraudulent" or irrespoinsible CA can mint a new certificate for my public key that contains all sorts of things. Unless the receiver does full cert-chain validation (and really, who does that? nobody:), they can be fooled by this fraudulent cert. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.htmlReceived on Thursday, 11 March 2004 13:56:40 GMT
This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:18 GMT