Harald Koch wrote: > I'm not quite sure either, to be honest, which is why I don't like the > separate certificates approach. On the other hand, I'm told that the > financial institutions, for whatever reason, *like* having separate certs > (presumably so that different people can be given access to different > private keys).
If your certificate signing key is only called into service very rarely, it might well be convenient not to have to expose it in order to sign revocation lists, which would conceivably require publication at a greater frequency. > In my particular case, we have Root CA certificates that have the same > identification (i.e. "cn=Harald's Bait Shop and CA"), but different > keys and different keyUsage fields, a slightly simpler case I think. > I'm told that this is a "standard feature" of one of the popular PKI > products out there. Is it legal for a self-signed certificate to include the keyUsage extension without having the keyCertSign bit asserted? Would its self-signature verify if its key is asserted only for verifying CRL signatures? //oscar ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
