emanuela wrote: >is somebody familiar with the following certificate question?
>For completing the validation chain of a certificate we found two ways: >a.) Connect the involved intermediate CAs to the keyring >b.) Connect the root CA to the keyring >The mainframe acts in this case as client. All involved certificats trust the >same root CA. >Of cause connect to the root CA to the keyring has some advantages: >- Only one connect covers all intermediate CAs >- the lifecycle of the root CA is longer >- No risk that a new intermediate CA (under the same root) has been forgotten >But are there some security issues or some other disadvantages to be >considered when connecting the root CA? This is so you can connect to an external server-that is, the certificate is certifying the outbound connection? If so, you only need the root. Normally intermediates aren't stored, as doing so means that if ANY of them expire, the connection fails. And you don't want that. -- ...phsiii Phil Smith III ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
