Menu
▾
▴
Re: [Ejbca-develop] Deleting the root CA
|
From: Andreas K. <ku...@tr...> - 2014-11-24 19:33:40
|
Hi Michael, got me ;-) Anyway, you can delegate the signing of the OCSP response. But the request uses of the _issuer's_ certificate, doesn't it? Greetings, Andeas > Andreas Kuehne wrote: >> your idea to delete the root CA is a bit suprising to me! I would agree >> that's a good idea to lock away the private key of the root, preferably >> on a smart card or in an encrypted file with different holders of >> credential parts. >> >> Without the root certificate all your chain validations will fail. >> Making OCSP requests for the intermediate CA is 'difficult' without >> having the issuing certificate at hand ... > Andreas, this reveals that you're very much into SigG signature checking. ;-) > > "Normal" implementations (e.g. Firefox) usually only send OCSP requests for > end entities. > > But you could even remove the root CA key if the root CA issued a OCSP > responder cert with separate key pair (OCSP delegation). > > Ciao, Michael. > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop -- Andreas Kühne phone: +49 177 293 24 97 mailto: ku...@tr... Trustable Ltd. Niederlassung Deutschland Ströverstr. 18 - 59427 Unna Amtsgericht Hamm HRB 5868 Directors Andreas Kühne, Heiko Veit Company UK Company No: 5218868 Registered in England and Wales |