Gregor Bethlen wrote:
OK, this may be. But what happens when you do a dataexchange? The first cert the
rootca approves get serial 1 (module id == 0). The first cert the
subca1 approves get serial 1 (module id == 0). Same with subca2. As long as you don't
exchange up to the rootca and then down to both subcas, this
could work. But I have some doubts if you can have more certs with the same serial in
one place (even if they are signed by different cas). But I
don't know.
its easy:
since each 'end-cert' is issued and therefore administrated at a different ca
so your root-ca is responsible for the certs its issuing - in this case the certs of
your sub-cas
but not for the certs of those sub-cas
and your sub-cas are responsible for the certs they issue
the module-id is a totaly openca-internal system to manage the dataexchange between
different levels
but - there will be only one ca with maybe several ras connected... but this doesn't
matter here
and this is, how its commonly working, each ca, like written in the mail before, has
its own
universe (means: its logical total independet - so for the ids it's using)
- even if it's a sub-ca of another ca... doesn't matter, since the certs are belong
only to this ca
the root-ca -> sub-ca chain is only relevant for deciding in validity and verifiing
the trust-chain
so if you trust the root-ca you will automatically trust the certs signed by its
sub-cas so you need
just one ca-cert
usaly the chain gets verified something like: check who did sign, do we know and trust
this ca?
does ist have a self-signed cert - if not - try to go one step higher... and so on
if i'm right, you can also just trust one of your sub-cas (even if it's a sub-ca,
means doesn't have
a self-signed cert but signed by higher ca in the trust-tree) so you won't accept
certs of the other
sub-ca for example, only your own...
greetings
dalini
--
Ives Steglich Email: [EMAIL PROTECTED]
System Administration Tel.: +49 (0)3677 - 69 4382/4383
Fax: +49 (0)3677 - 69 4399
Fraunhofer Institute for Digital Media Technology
Langewiesener Strasse 22
98693 Ilmenau Email (private): [EMAIL PROTECTED]
Germany http://www.openca.org
-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
