Bear Giles wrote:
> Anyway, in a case like this one way to handle the RA->CA traffic is > for the RA to sign certs that it approves, and then the CA re-signs > them with the published CA certs. The RA needs to be able to sign > certs, but you really want everyone to use the certs published by the > CA, not the RA. Hence the usage restrictions. I think the RA should sign CSRs, not certs, but then that's my particular misunderstanding. There shouldn't be a cert at this point, other than a self-signed thingie such as a PKCS10 or DN+SPKAC. The RA is responsible for DN conformance and other policy conformance as far as the organization unit for which it operates is concerned. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
