On Wed, Oct 8, 2008 at 8:07 AM, István Zsolt BERTA <[EMAIL PROTECTED]> wrote: >> Well, I don't get it. Your diagram at >> http://srv.e-szigno.hu/menu/index.php?lap=english_ca_hierarchy shows >> clearly that you are issuing intermediate CA certificates from the root, >> but in the previous comment you claimed that the CA is only allowed to use >> * signing qualified end-user certificates and >> * signing CRLs. >> Does this apply to the intermediate CA certificates but not the CA root? > > It applies to the private key used for signing qualified certificates > (end-entity certificates issued to natural persons) only, so it does > not apply to roots that sign CA certificates.
Okay, I'm a bit confused. The Root CA itself does not sign qualified certificates, but it authenticates the private key used to sign qualified certificates? >> > We have a root, which does not issue end-user certificates, but issues >> > CA certificates for our own CAs only. > >> Which root is that? I understand there is only one root up for inclusion... > > We requested the inclusion of one root, 'Microsec e-Szigno Root CA' > only. > (The root 'e-Szigno OCSP CA' is our OCSP root. The root 'Közigazgatási > Gyökér Hitelesítés Szolgáltató' is a Hungarian governmental root > operated by the Hungarian government that cross-certififes certain > commercial CAs (like Microsec), it does not belong to us. The gray > ones below are our test roots for testing purposes, they do not belong > to our official system.) The 'Microsec e-Szigno Root CA' is a different CA name than 'e-Szigno OCSP CA', and thus the OCSP CA does not match the X.509 or OCSP requirements to be able to sign OCSP responses for 'Microsec e-Szigno Root CA'. -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto