Re: Issuing Enterprise Subordinate CA - Why not a DC?

From: Paul Adare (padare_at_newsguy.com)
Date: 03/03/05

• Next message: Roger Abell: "Re: User configuration question"
• Previous message: Dave: "Re: Issuing Enterprise Subordinate CA - Why not a DC?"
• In reply to: Dave: "Re: Issuing Enterprise Subordinate CA - Why not a DC?"
• Next in thread: Dave: "Re: Issuing Enterprise Subordinate CA - Why not a DC?"
• Reply: Dave: "Re: Issuing Enterprise Subordinate CA - Why not a DC?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 3 Mar 2005 09:34:32 -0500

In article <112e7ppda55e7a2@corp.supernews.com>, in the
microsoft.public.windows.server.security news group, Dave
<dsturgeon@dont.send.any.spam.here.gmail.com> says...

> Thanks for the good information Steve. One more question-
>
> It appears that it is recommended that the stand alone root be installed on
> a machine that is not a member of the domain. I am guessing this is due to
> the secure channel passwords that are only good for 30 days and would
> therefor cause problems if the machine were off the network for longer
> periods than that. I would prefer to install it on a domain member that I
> just take off the network and put back once every couple weeks to sync up.
> What are your thoughts on this?
>

Why?

The whole point of a standalone offline root is that you never, ever
attach it to a network, which dramatically increases the security of the
private key.

Why do you feel the need to install a standalone root on a member
server? What is the perceived benefit here?

-- 
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

---

• Next message: Roger Abell: "Re: User configuration question"
• Previous message: Dave: "Re: Issuing Enterprise Subordinate CA - Why not a DC?"
• In reply to: Dave: "Re: Issuing Enterprise Subordinate CA - Why not a DC?"
• Next in thread: Dave: "Re: Issuing Enterprise Subordinate CA - Why not a DC?"
• Reply: Dave: "Re: Issuing Enterprise Subordinate CA - Why not a DC?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages XDMCP cannot connect to Solaris 2.5.1 box ... Unfortunately I cannot upgrade this box and ideally would not install ... it's refusing connections (it is contactable over the network). ... system SUNWadmr System & Network Administration Root ... (Usr) ... (comp.unix.solaris) Re: FC10 not installing software properly ... Welcome to fedora. ... The unix/linux way requires to have an omnipowerful user called root. ... When you install linux, normally are asked to set the root password. ... You will need a little help about your network configuration. ... (Fedora) Multidomain membership - NO Trust ... in to the SBS domain for daily stuff, but occasionally logging in to the ... I plan on setting up their machines as Dual Boot where one XP install will ... the other XP install will be a member of the new domain with a static IP ... network address of 10.0.0.xxx ... (microsoft.public.windows.server.sbs) Re: Cant SU to Root on Telent ... Can't SU to Root on Telent ... >>I set up my first server and enabled telent. ... How do I check if a user is a member of wheel? ... (freebsd-newbies) Re: Moving root CA to new machine ... do you want to move the root or just decommission the old and install a new? ... "James" wrote in message ... > We have a root CA on a windows 2000 box that can not be upgraded to 2003. ... The rest of the network is now upgraded to 2003 but this last server ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)