Hi Marcel,
In my own setup I have 3 CA's ( 1 root and 2 sub CA's ).In the online parts I have pub, ldap and node. The offline parts contains of ra, ca, batch and node.To me this makes sense because the offline part is unreachable so people can only mess with requests and published data. The other logic is that if the RA is placed in the online part I have to re-check all requests at the CA to make sure that nobody was able to insert his/her own approved request ( in case the security does not work very well ).So why should I not place the CA and the RA on the same machine?
I think this depends on your setup...Most people use the system in that way, that the RA Officers are spread over the company and so the RA reachable through the network. So if you use RA approval with signing someone relly must hack the RA server, modify it in a way to bluff the Operator to sign a faked request - all in all not very likely...
When you are the only Operator driving the whole stuff your setup is ok also...
Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72
smime.p7s
Description: S/MIME Cryptographic Signature
