I agree. Most of the time the two chains will be mostly the same. We
don't want to duplicate the certs. Lets just keep them where they are,
and add the attribute to indicate the key exchange cert.
--Jeff
Jim Schaad (Exchange) wrote:
I have massive complaints about having two (or more) cert chains for the
purpose of conveying the difference between key exchange and signing
certs. The overhead of carrying multiple chains (almost a certanty for
some products) is really bad in terms of message size. This is
especially true given the current size and expected size of
certificates.
I have no specific objection to an authenticated property which say --
this is what you should use for my key exchange certificate, but I see
no real value in any more than this. The process of building
certificate chains for verification needs to be done any event as one
cannot rely that the chain provided will be either correct or useful any
more (certificates in the chain may have expired or been revoked).