Zitat von Martijn Brinkers <martijn(a)djigzo.com>om>:
i would like to know why the intermediate CAs are
stored in the
certificate store and not with the Roots. This would be the way all
others do it like the Firebird/Windows etc.
Because an intermediate certificate is not a root certificate :). Root
certificates are the certificates you 'blindly' trust (with blindly I
mean that trust is not inferred from a higher level certificate).
I would see it more from perspective of trust. If you trust the "root"
you implictly trust the intermediate CA derived from the root CA.
Whether you store an intermediate certificate in
it's own separate store
is nothing more than how you present it to the user. I didn't want to
add another menu item just to show the intermediates in it's own store
because they are stored in the same database as end user certificates.
This would be confusing anyway...
Afaik Windows does not store the intermediates in the
same store as the
roots (at least that's not what IE shows me).
Sorry, i was confused by Thunderbird on Windows...
You are right, Windows uses a own store for intermediate CA.
Is there a particular reason you want the intermediate
CAs to be stored
separately from the end user certificates?
The end user certificates are used to sign/encrypt/decrypt and can be
assigned to users the and intermediate CAs should be handeled like the
root CA, so it is a "sort-by-function" thing...
Would it be acceptable to only store "trusted" intermediate CAs for
which we have a root CA and store them along with the roots??