Hello
i would like to know why the intermediate CAs are stored in the
certificate store and not with the Roots. This would be the way all
others do it like the Firebird/Windows etc.
Many Thanks
Andreas
lst_hoe02(a)kwsoft.de wrote:
i would like to know why the intermediate CAs are stored in the
certificate store and not with the Roots. This would be the way all
others do it like the Firebird/Windows etc.
Because an intermediate certificate is not a root certificate :). Root
certificates are the certificates you 'blindly' trust (with blindly I
mean that trust is not inferred from a higher level certificate).
Whether you store an intermediate certificate in it's own separate store
is nothing more than how you present it to the user. I didn't want to
add another menu item just to show the intermediates in it's own store
because they are stored in the same database as end user certificates.
Afaik Windows does not store the intermediates in the same store as the
roots (at least that's not what IE shows me).
Is there a particular reason you want the intermediate CAs to be stored
separately from the end user certificates?
Kind regards,
Martijn Brinkers
···
--
Djigzo open source email encryption
Zitat von Martijn Brinkers <martijn(a)djigzo.com>:
lst_hoe02(a)kwsoft.de wrote:
i would like to know why the intermediate CAs are stored in the
certificate store and not with the Roots. This would be the way all
others do it like the Firebird/Windows etc.Because an intermediate certificate is not a root certificate :). Root
certificates are the certificates you 'blindly' trust (with blindly I
mean that trust is not inferred from a higher level certificate).
I would see it more from perspective of trust. If you trust the "root"
you implictly trust the intermediate CA derived from the root CA.
Whether you store an intermediate certificate in it's own separate store
is nothing more than how you present it to the user. I didn't want to
add another menu item just to show the intermediates in it's own store
because they are stored in the same database as end user certificates.
This would be confusing anyway...
Afaik Windows does not store the intermediates in the same store as the
roots (at least that's not what IE shows me).
Sorry, i was confused by Thunderbird on Windows...
You are right, Windows uses a own store for intermediate CA.
Is there a particular reason you want the intermediate CAs to be stored
separately from the end user certificates?
The end user certificates are used to sign/encrypt/decrypt and can be
assigned to users the and intermediate CAs should be handeled like the
root CA, so it is a "sort-by-function" thing...
Would it be acceptable to only store "trusted" intermediate CAs for
which we have a root CA and store them along with the roots??
Many Thanks
Andreas
lst_hoe02(a)kwsoft.de wrote:
The end user certificates are used to sign/encrypt/decrypt and can be
assigned to users the and intermediate CAs should be handeled like the
root CA, so it is a "sort-by-function" thing...Would it be acceptable to only store "trusted" intermediate CAs for
which we have a root CA and store them along with the roots??
The system need to make a distinction between roots and non-roots.
Djigzo is designed to make it scale to large numbers of certificates (it
has been tested with more than 40.000 certificates). To make it scalable
the roots need to be stored separately. That however doesn't mean you
can visually show it differently to the user. I however like the roots
the be separately shown because whether you trust a root or not is
extremely important.
What perhaps can add is a filter that allows you to filter on
intermediate certificates or end-user certificates. When selecting an
encryption certificate for a user only end-user certificates are shown
by default.
Kind regards,
Martijn
···
--
Djigzo open source email encryption
Zitat von Martijn Brinkers <martijn(a)djigzo.com>:
lst_hoe02(a)kwsoft.de wrote:
The end user certificates are used to sign/encrypt/decrypt and can be
assigned to users the and intermediate CAs should be handeled like the
root CA, so it is a "sort-by-function" thing...Would it be acceptable to only store "trusted" intermediate CAs for
which we have a root CA and store them along with the roots??The system need to make a distinction between roots and non-roots.
Ah, okay...
Djigzo is designed to make it scale to large numbers of certificates (it
has been tested with more than 40.000 certificates). To make it scalable
the roots need to be stored separately. That however doesn't mean you
can visually show it differently to the user. I however like the roots
the be separately shown because whether you trust a root or not is
extremely important.
Yes, but it is useful to seperate "user" certs from CAs either to find
missing pieces in the CA path for example.
What perhaps can add is a filter that allows you to filter on
intermediate certificates or end-user certificates. When selecting an
encryption certificate for a user only end-user certificates are shown
by default.
As said it is more the "sort-by-function" approach which lead to the
question. I have learned to think in certificates and trust-chain
where root-Ca and intermediate CA belong together. I can cope with it
if it is technical needed but a sorting eg. for don't show anything
with CA=true or only show CA=true would by nice to have.
Regards
Andreas