.... plus following the same good security practices, your Root CA should be
offline, while an offline domain controller isn't any good nowadays...
--
---
HTH,
Dobromir
Learn more about Security and Identity Management:
Visit
http://www.iamechanics.com
"Paul Adare" <pkadare@gmail.com> wrote in message
news:1tj95axsmmjus.1997pdyfpo2mj.dlg@40tude.net...<span style="color:blue">
> On Tue, 8 Apr 2008 17:18:04 -0700, Gunna wrote:
><span style="color:green">
>> that an Enterprise Root CA has to be a domain controller? What about
>> subordinates?</span>
>
> Absolutely not true. In fact, if you follow good security practices where
> you want to reduce the attack surface on your core infrastructure servers,
> a domain controller should only ever be a domain controller, and a CA
> should only ever be a CA.
>
> --
> Paul Adare
>
http://www.identit.ca
> Shift to the left! Shift to the right! Pop up, push down, byte, byte,
> byte! </span>