On 10/22/2017 03:54 PM, ScorpionSting wrote:
> They're also against Intermediates. They'd rather an "exception CA" than
> an Intermediate.
> Think I'll just take the easy way out and say the eDir CA is "required
> for normal operation" and just use the external for things like iManager
> and iMonitor, but leave all IDM stuff with the CA......we've got far too
> many RL's to go and update the CA cert on (not being lazy of course -
> LOL)

If I were you (but still being as ornery as I am) I would probably still
make sure they understand that owning a CA does not, at all, mean you can
decrypt all traffic from that CA. More to their point or old belief
system, if they believe that having possession of a Private Key magically
means they can decrypt all traffic used in a connection making use of that
private key, they area also wrong. It is pretty rare for up to date
software to use non-Perfect Forward Secrecy ciphersuites, except as a last
resort (if those are still enabled), and that basically means forcing your
clients to use ancient versions of Firefox or Chrome (versions that are
the better part of a decade old), which is psychotic. If they are being
sold a HSM solution for anything that has to do with capturing all data,
they're being misled.

That's about all, though. May they spend their money however they see fit.

Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.