In RACF: 1. Only Certificate Authority(CA) certificate SHOULD issue certificates for others - for a user, for a server, for another CA.
2. For a self-signed CA certificate, we call it a root certificate. 3. A CA certificate signed by another CA is called an intermediate CA. 4. CA certificates including root or intermediate are owned by a special ID CERTAUTH. 5. User certificates are owned by an ordinary RACF user ID. 6. Server certificates can be owned by an ordinary RACF user ID or by a special ID SITE. 7. In the original support when the FACILITY class is used to control the access of the private key of the certificate in the keyring, we need the certificate owned by SITE in order to share the private key by giving the ID of the application CONTROL access to IRR.DIGTCERT.GENCERT. That's the reason of having SITE as the owner. But in V1R10 when RDATALIB class was introduced, this restriction was lifted, the owner does not need to be SITE. 8. Having SITE as the owner of a server certificate is logical. Having an ordinary ID as the owner of a server certificate has the benefit of enabling the same ID to own the key ring. Key ring can not be owned by the SITE ID. 9. In validation process, SITE certificate can be used by a certificate validation application that honors it without checking the whole chain of CAs. But I don't know if any common certificate validation application running on z/OS honors it yet. 10. Go back to #1, I said SHOULD. But RACF supports SITE to issue certificates too. I don't find a scenario that needs this support though. Wai Choi - RACF/PKI Design and Development ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN