Roland,
The oldest of the three LotW root CAs hasn't been in-use for several years and can be discarded. I think I heard that they lost the private key for it, or something silly like that.
The second one is their SHA1 root CA cert that they've been using up until this year, but should be kept around for a while because some people still have call sign certs in that chain. Since call sign certs are only signed for two years, you can discard that root CA too once the existing call sign certs expire.
The lastest LotW root CA was created this year using modern crypto tech. It was necessary because it's expected that SHA1 will be broken within a few year, so everyone's in a hurry to move away from it.
-Cory NQ1E
On Tue, Oct 27, 2015 at 1:28 PM, Roland Schwarz roland.schwarz@blackspace.at wrote:
(Please trim inclusions from previous messages) _______________________________________________ Am 27.10.2015 um 21:20 schrieb Tom SP2L:
Simple and PERFECT explanation!
I agree. Exactly what I always understood.
Why do we have/need three (unrelated) lotw root CA's then? Where do they fit into this picture?
Regards, Roland
-- _________________________________________ _ _ | Roland Schwarz |_)(_ | | __) | mailto:roland.schwarz@blackspace.at ________| http://www.blackspace.at _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net