[prev in list] [next in list] [prev in thread] [next in thread]
List: racf-l
Subject: Re: All involved Intermediate CAs or root CA only?
From: Wai Choi <wchoi () US ! IBM ! COM>
Date: 2017-02-23 0:02:09
Message-ID: OFC8889455.D0A328B6-ON002580CF.0082904D-852580D0.00003376 () notes ! na ! collabserv ! com
[Download RAW message or body]
In fact there are issues when you DON'T connect the root CA in the
client's keyring. If any of the intermediate CAs is revoked, your
application will not know. Validation up to the root is a more secure way.
SAF key ring certificates are only validated to the trust anchor
certificate. If a sole intermediate certificate is found in a SAF key ring
and the next issuer is not found in the same SAF key ring, the
intermediate certificate acts as a trust anchor and the certificate chain
is considered complete (for compatibility reason). But SSL key database
file, PKCS #12 file, and PKCS #11 token certificates are always validated
to the root CA certificate.
Regards,
Wai
Wai Choi - RACF/PKI Design and Development
From: emanuela <emanuela.riccardi@AXA-TECH.COM>
To: RACF-L@LISTSERV.UGA.EDU
Date: 02/14/2017 04:14 AM
Subject: All involved Intermediate CAs or root CA only?
Sent by: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU>
Hello
is somebody familiar with the following certificate question?
For completing the validation chain of a certificate we found two ways:
a.) Connect the involved intermediate CAs to the keyring
b.) Connect the root CA to the keyring
The mainframe acts in this case as client. All involved certificats trust
the same root CA.
Of cause connect to the root CA to the keyring has some advantages:
- Only one connect covers all intermediate CAs
- the lifecycle of the root CA is longer
- No risk that a new intermediate CA (under the same root) has been
forgotten
But are there some security issues or some other disadvantages to be
considered when connecting the root CA?
Kind regards,
Emanuela
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic