Hi Franck, Franck Martin wrote:
> Just an extra comment, > > >From the certification trust path, I'm wondering if you have used the > following: > > One Root CA certificate, that creates the various "Sub Root CA > certificates" which are used to sell your products. That is right! > > > The advantage is that the Root CA certificate can be removed from the > system and be placed totally off-line (no hacker will be able to get > access to the private key except by breaking in your premises). The > Sub-Root CA certificates are then used in day to day operations and can > be left on a machine.... Again You are right, another advantage is that you can build Sub-CA whenever you want depending of your needs. If an Sub-CA's private key is compromised, you do not need to revoke all your certifiate: just the certificate segment belonging to the key compromised Since by definition the Root Key is off-line, this one cannot be attacked... > > > Cheers. > > Franck Martin > Network and Database Development Officer > SOPAC South Pacific Applied Geoscience Commission > Fiji > E-mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > Web site: http://www.sopac.org/ > <http://www.sopac.org/> Support FMaps: http://fmaps.sourceforge.net/ > <http://fmaps.sourceforge.net/> > Certificate: https://www.sopac.org/ssl/ > > This e-mail is intended for its addresses only. Do not forward this > e-mail without approval. The views expressed in this e-mail may not be > necessarily the views of SOPAC. > Best Regards #------ Averroes ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
