I'm a bit confused concerning SSL certificates, and hope someone can shed
some light. In reading through the SSL spec concerning the SSL handshake,
it appears to me that the certificate that authenticates my server must be
signed by a certificate that is known to the client's browser. This would
preclude the following scenario:

(Root Certificate) => (Intermediate Cert1) => (Intermediate Cert2) =>
www.mysite.com

Where (Root Certificate) is known to the client but the intermediate
certificates are not. My certificate <SHOULD> be considered to be okay
since it is traceable back to a trusted certificate, but the SSL handshake
seems to say that this is not the case.

However, in looking at some real sites that have real certificates, I see
the opposite happening. In particular I see the folowing:

Verisign => (Intermediate) => www.somesite.com

Where Verisign is known to my browser, but the intermediate certificate is
not. It is of the fom:

www.verisign.com/CPS Incorp.by Ref. ... (some ofther stuff)

What is going on here? Is there a way for the the browser to get a copy of
the intermediate certificate if it isn't already known to it as a trusted
certificate?

Sander Smith




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)