[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: All involved Intermediate CAs or root CA only?
From:       Wai Choi <wchoi () US ! IBM ! COM>
Date:       2017-02-23 0:02:09
Message-ID: OFC8889455.D0A328B6-ON002580CF.0082904D-852580D0.00003376 () notes ! na ! collabserv ! com
[Download RAW message or body]

In fact there are issues when you DON'T connect the root CA in the 
client's keyring. If any of the intermediate CAs is revoked, your 
application will not know. Validation up to the root is a more secure way. 
SAF key ring certificates are only validated to the trust anchor 
certificate. If a sole intermediate certificate is found in a SAF key ring 
and the next issuer is not found in the same SAF key ring, the 
intermediate certificate acts as a trust anchor and the certificate chain 
is considered complete (for compatibility reason). But SSL key database 
file, PKCS #12 file, and PKCS #11 token certificates are always validated 
to the root CA certificate.  

Regards,
Wai 

Wai Choi - RACF/PKI Design and Development




From:   emanuela <emanuela.riccardi@AXA-TECH.COM>
To:     RACF-L@LISTSERV.UGA.EDU
Date:   02/14/2017 04:14 AM
Subject:        All involved Intermediate CAs or root CA only?
Sent by:        RACF Discussion List <RACF-L@LISTSERV.UGA.EDU>



Hello 

is somebody familiar with the following certificate question?

For completing the validation chain of a certificate we found two ways:
a.) Connect the involved intermediate CAs to the keyring
b.) Connect the root CA to the keyring
The mainframe acts in this case as client. All involved certificats trust 
the same root CA.

Of cause connect to the root CA to the keyring has some advantages:
- Only one connect covers all intermediate CAs
- the lifecycle of the root CA is longer
- No risk that a new intermediate CA (under the same root) has been 
forgotten

But are there some security issues or some other disadvantages to be 
considered when connecting the root CA?

Kind regards,
Emanuela
[prev in list] [next in list] [prev in thread] [next in thread]