I believe that most clients transmit the certificate chain (not
including the root) today.
To the best of my knowledge, Outlook does not, and it has
quite a large
market share ... (Although, I'd be happy to know how to make
it do so if
there is a way ;) ).
I believe an end user can configure to some degree, which certificates are
sent in a signed message. To access the UI in Outlook 2002, go to
Tools/Options/Security/Settings... There should be a check box for "Send
these certificates with signed messages". I have not verified as to what
exactly this checkbox controls (I am in a strict 1 level hierarchy so I
can't verify if sub-CA's are included without some prep work). I would
think that, despite its naming, Outlook 2002 will always send the signer's
certs, and depending on the state of the checkbox, the chain from the
signer's certs to a trusted root.
Can anybody confirm or deny my theory (do you have a more complex hierarchy
to test with)?
Thanks,
Darrell