Kyle Hamilton wrote:
I truly, truly wish that people would stop thinking themselves into
the "crypto box".
A CA needs to be only as secure as the things that its certificates
secure. In this case, if they're trying to create user authentication
certificates for their customers so that they can have the full
benefits of mutual authentication (which benefits include immunity
from the recent prefix-injection attack, among others), why shouldn't
their issuing CA be online? No entity other than their authentication
server needs to trust that CA.
yes, butt if the root private key used by this CA gets compromised, then
you can no longer trust anything it signed. I would not entrust any
sort of authoritative private key to a system on which I didn't have
some sort of SLA with all parties who had access to the systems and storage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
