On Wed, 23 Nov 2005 17:54:44 -0800 (PST) "william(at)elan.net" <[EMAIL PROTECTED]> wrote:
> > > On Thu, 24 Nov 2005, George Michaelson wrote: > > > According to what I understand, there have to be two certificates > > per entity: > > > > one is the CA-bit enabled certificate, used to sign > > subsidiary certificates about resources being given to other people > > to use. > > > > the other is a self-signed NON-CA certificate, used to sign > > route assertions you are attesting to yourself: you make > > this cert using the CA cert you get from your logical parent. > > So how is the 2nd one different from the first? the important distinction is that the certificate used to sign resource assertions doesn't have the CA bit set. -George
