Hello dalini, [EMAIL PROTECTED] schrieb am 02.08.04 18:15:54: > > Gregor Bethlen wrote: > > > OK, this may be. But what happens when you do a dataexchange? The first cert the > > rootca approves get serial 1 (module id == 0). The first cert the > > subca1 approves get serial 1 (module id == 0). Same with subca2. As long as you > > don't exchange up to the rootca and then down to both subcas, this > > could work. But I have some doubts if you can have more certs with the same serial > > in one place (even if they are signed by different cas). But I > > don't know. > > > its easy: > > since each 'end-cert' is issued and therefore administrated at a different ca > so your root-ca is responsible for the certs its issuing - in this case the certs of > your sub-cas > but not for the certs of those sub-cas > > and your sub-cas are responsible for the certs they issue > > the module-id is a totaly openca-internal system to manage the dataexchange between > different levels > but - there will be only one ca with maybe several ras connected... but this doesn't > matter here >
OK, but if I would make a dataexchange between the Root-CA and a Sub-CA, and there would be certificates with the same serialno. in Root-CA and Sub-CA, the dataexchange would lead to two certificates with the same serialno. in the database of the Sub-CA, one from Sub-CA, one from Root-CA (when they have the same module-id). I don't know if it's usual to make a dataexchange between Root-CA and Sub-CA, if not, there should be no problem with the module ids. > and this is, how its commonly working, each ca, like written in the mail before, has > its own > universe (means: its logical total independet - so for the ids it's using) > - even if it's a sub-ca of another ca... doesn't matter, since the certs are belong > only to this ca > OK, understand this, but again, what happens when you exchange the certificates between the CAs? > the root-ca -> sub-ca chain is only relevant for deciding in validity and verifiing > the trust-chain > so if you trust the root-ca you will automatically trust the certs signed by its > sub-cas so you need > just one ca-cert > > usaly the chain gets verified something like: check who did sign, do we know and > trust this ca? > does ist have a self-signed cert - if not - try to go one step higher... and so on > > if i'm right, you can also just trust one of your sub-cas (even if it's a sub-ca, > means doesn't have > a self-signed cert but signed by higher ca in the trust-tree) so you won't accept > certs of the other > sub-ca for example, only your own... > > > > greetings > dalini > Thanks, Gregor > -- > Ives Steglich Email: [EMAIL PROTECTED] > System Administration Tel.: +49 (0)3677 - 69 4382/4383 > Fax: +49 (0)3677 - 69 4399 > > Fraunhofer Institute for Digital Media Technology > Langewiesener Strasse 22 > 98693 Ilmenau Email (private): [EMAIL PROTECTED] > Germany http://www.openca.org > > > ------------------------------------------------------- > This SF.Net email is sponsored by OSTG. Have you noticed the changes on > Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, > one more big change to announce. We are now OSTG- Open Source Technology > Group. Come see the changes on the new OSTG site. www.ostg.com > _______________________________________________ > Openca-Users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/openca-users _______________________________________________________ WEB.DE Video-Mail - Sagen Sie mehr mit bewegten Bildern Informationen unter: http://freemail.web.de/?mc=021199 ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
