27 Oct
2015
27 Oct
'15
4:37 p.m.
Roland,
The oldest of the three LotW root CAs hasn't been in-use for several
years and can be discarded. I think I heard that they lost the
private key for it, or something silly like that.
The second one is their SHA1 root CA cert that they've been using up
until this year, but should be kept around for a while because some
people still have call sign certs in that chain. Since call sign
certs are only signed for two years, you can discard that root CA too
once the existing call sign certs expire.
The lastest LotW root CA was created this year using modern crypto
tech. It was necessary because it's expected that SHA1 will be broken
within a few year, so everyone's in a hurry to move away from it.
-Cory
NQ1E
On Tue, Oct 27, 2015 at 1:28 PM, Roland Schwarz
<roland.schwarz(a)blackspace.at> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Am 27.10.2015 um 21:20 schrieb Tom SP2L:
Simple and PERFECT explanation!
I agree. Exactly what I always understood.
Why do we have/need three (unrelated) lotw root CA's then? Where do they
fit into this picture?
Regards, Roland
--
_________________________________________
_ _ | Roland Schwarz
|_)(_ |
| \__) | mailto:roland.schwarz@blackspace.at
________| http://www.blackspace.at
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net