| rfc9216v2.txt | rfc9216.txt | |||
|---|---|---|---|---|
| skipping to change at line 236 ¶ | skipping to change at line 236 ¶ | |||
| certified by their corresponding root CA) or in a three-link chain. | certified by their corresponding root CA) or in a three-link chain. | |||
| For example, Alice's encryption certificate (alice.encrypt.crt; see | For example, Alice's encryption certificate (alice.encrypt.crt; see | |||
| Section 4.3) can be validated by a peer that directly trusts the | Section 4.3) can be validated by a peer that directly trusts the | |||
| example RSA CA's root cert (ca.rsa.crt; see Section 3.1): | example RSA CA's root cert (ca.rsa.crt; see Section 3.1): | |||
| +==============+ +-------------------+ | +==============+ +-------------------+ | |||
| || ca.rsa.crt ||-->| alice.encrypt.crt | | || ca.rsa.crt ||-->| alice.encrypt.crt | | |||
| +==============+ +-------------------+ | +==============+ +-------------------+ | |||
| Figure 1: Validating Alice's encryption certificate directly when | ||||
| the issuing CA is a trust anchor | ||||
| And it can also be validated by a peer that only directly trusts the | And it can also be validated by a peer that only directly trusts the | |||
| example Ed25519 CA's root cert (ca.25519.crt; see Section 6.1) via an | example Ed25519 CA's root cert (ca.25519.crt; see Section 6.1) via an | |||
| intermediate cross-signed CA cert (ca.rsa.cross.crt; see | intermediate cross-signed CA cert (ca.rsa.cross.crt; see | |||
| Section 3.3): | Section 3.3): | |||
| +================+ +------------------+ +-------------------+ | +================+ +------------------+ +-------------------+ | |||
| || ca.25519.crt ||-->| ca.rsa.cross.crt |-->| alice.encrypt.crt | | || ca.25519.crt ||-->| ca.rsa.cross.crt |-->| alice.encrypt.crt | | |||
| +================+ +------------------+ +-------------------+ | +================+ +------------------+ +-------------------+ | |||
| Figure 2: Validating Alice's cert from a different trust anchor | ||||
| via an intermediate cross-signed CA certificate | ||||
| By omitting the cross-signed CA certs, it should be possible to test | By omitting the cross-signed CA certs, it should be possible to test | |||
| a "transvalid" certificate (an end-entity certificate that is | a "transvalid" certificate (an end-entity certificate that is | |||
| supplied without its intermediate certificate) in some | supplied without its intermediate certificate) in some | |||
| configurations. | configurations. | |||
| 2.6. Passwords | 2.6. Passwords | |||
| Each secret key presented in this document is represented as a PEM- | Each secret key presented in this document is represented as a PEM- | |||
| encoded PKCS #8 ([RFC5958]) object in cleartext form (it has no | encoded PKCS #8 ([RFC5958]) object in cleartext form (it has no | |||
| password). | password). | |||
| End of changes. 2 change blocks. | ||||
| 0 lines changed or deleted | 6 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||