While discussing this topic in non-list email. I had other points that
came up.
(1) The cert for a domain does not necessarily have the same CA as all
other certs for users in a domain.
Example:
admin(_at_)example(_dot_)com may have a CA assigned by
the example.com, it could be self signed.
doug(_at_)example(_dot_)com may have a cert provided by an
unrelated CA to admin(_at_)example(_dot_)com
Which can be a different cert from the site:
https://virtual-host.com
That happens to be hosted on example.com
Real life example, DouglasRoyer(_at_)gmail(_dot_)com has a cert, the CA is
StartCom. (This email is signed by that StartCom cert).
And it is not the same CA used by dns-admin(_at_)google(_dot_)com
Both are at google.com, both have a different CA.
(2) Certificate chains. Doug(_at_)eng(_dot_)example(_dot_)com may have a cert signed by
the eng.example.com, and the eng.example.com cert may be signed by the
example.com CA. The example.com CA, could be self signed, or be signed
by an outside CA.
--
Doug Royer - (http://DougRoyer.US http://goo.gl/yrxJTu )
DouglasRoyer(_at_)gmail(_dot_)com
714-989-6135
smime.p7s
Description: S/MIME Cryptographic Signature