Dear all,
Just for starting the discussion on the PKI for the interop.
At present we may count with two separated hierarchies of CAs.
The first hierarchy has the following structure:
RootCA
| \
LevelA TSA1
|
LevelB
|
users
So end entities certs are generated by CA in LevelB. At present, the
three CAs generate CRLs and each one also incorporates an OCSP server
(direct model), so that we may get both types of revocation information.
Additionally, the root CA also certifies a TSA.
Finally, for this hiearchies there are a number of pre-generated
end-entities certificates: one is expired; the other is revoked. These
end-entities certs could also be used for negative test cases.
In addition, I think that there are also some intermediate CA whose cert
is also revoked, although I am not completely sure.
The second hierarchy is a hierarchy that incorporates only a root CA
that certifies a second TSA. No end entities certified here....will
explain in the call what is this second hierarchy for....
May I suggest that we start discussions on what PKI requirements we have
for conducting the DSS interop tests?
Regards
Juan Carlos.