RE: Trusted Root Certificates

["Nicholas, Richard" <Richard.Nicholas@xxxxxxxxxxxxxxxx>]

Jim,

In the Certificate Management Library v2.0, only self-signed root
certificates can be designated as trusted.  In v2.1, available on 21
June 2002, any CA certificate, self-signed or otherwise, can be
designated as trusted.

The rationale for the current restriction is that the signature on
self-signed certificates can be verified and nearly all PKIs originate
with a trusted root cert.  However, as your example illustrates, there
are valid requirements for supporting trusted certs that aren't
self-signed.

- Rich
---------------------------
Richard E. Nicholas
Principal Secure Systems Engineer
Getronics Government Solutions, LLC
Richard.Nicholas@xxxxxxxxxxxxxxxx
(301) 939-2722

> -----Original Message-----
> From: Jim Craigie [mailto:Jim.Craigie@xxxxxxxxxxxxxx] 
> Sent: Monday, April 08, 2002 5:46 PM
> To: Pawling, John
> Cc: imc-sfl@xxxxxxx
> Subject: Trusted Root Certificates
> 
> SFL only allows self-signed Certificates to be configured as 
> Trusted Root Certificates. Is there a reason for this? It 
> seems an inappropriate restriction. It seems perfectly 
> reasonable to trust all the Certificates issued by a CA 
> without necessarily having to trust all other "sibling" CAs - 
> that is those with the same root CA.
> 
> For example, UK Government has one root CA, and each 
> department has its own CA under this root CA. It seems 
> reasonable to be able to configure trust for one UK 
> Government Department (e.g. defence) without having trust all 
> other UK goverment departments.
> 
> Jim