On 10/22/2017 03:54 PM, ScorpionSting wrote:
>
> They're also against Intermediates. They'd rather an "exception CA" than
> an Intermediate.
>
> Think I'll just take the easy way out and say the eDir CA is "required
> for normal operation" and just use the external for things like iManager
> and iMonitor, but leave all IDM stuff with the CA......we've got far too
> many RL's to go and update the CA cert on (not being lazy of course -
> LOL)


If I were you (but still being as ornery as I am) I would probably still
make sure they understand that owning a CA does not, at all, mean you can
decrypt all traffic from that CA. More to their point or old belief
system, if they believe that having possession of a Private Key magically
means they can decrypt all traffic used in a connection making use of that
private key, they area also wrong. It is pretty rare for up to date
software to use non-Perfect Forward Secrecy ciphersuites, except as a last
resort (if those are still enabled), and that basically means forcing your
clients to use ancient versions of Firefox or Chrome (versions that are
the better part of a decade old), which is psychotic. If they are being
sold a HSM solution for anything that has to do with capturing all data,
they're being misled.

That's about all, though. May they spend their money however they see fit.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.