LHC Computer Grid - Rollout
> [mailto:[log in to unmask]] On Behalf Of David Groep
said:
> The CAs below are rather special, since they do not issue certificates
> to end-entities, but to other CAs only. There CAs have very
> special access procedures to access the key, and generating a CRL
every month is
> practically impossible.
OK - but an expiry date of 2011 still seems a bit extreme!
> For example, to get to the ESnet Root CA 1 key,
> you need the physical presence of three people, one of whom need to
> be flown in from a remove site, and the amount of auditing to
> be performed takes over a day :-)
Do they launch a few ballistic missiles while they're at it? ;)
Stephen
|