Existing applications that know about the "root" CA work without configuration changes. New applications that need to know about the new "larger" PKI just add the new root to their list of trust anchors. I suppose that's really a bridge-CA.
I don't think branched cert chains need to get involved, so I don't think I need to qualify or disclaim what I wrote. Yes, I ignored the details of distributing the new root certificate; there's a limit on the column length, ya know. In retrospect, adding "(and get hte new root distirbuted and used)" would probably have been worth adding.
At any rate, the key point is that if you anchor everything you do under a single root, than moving your tree underneath something else is a lot eaiser if only one "root" has to move, rather than everything.
okay?
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
