Folks,
I'm developing a distributed application for which I'm currently
planning to use OpenSSL to handle the security needs, which include a
(privately-run) PKI.
I can't divulge the details of the application, but this vendor's
systems would be installed at individual client sites as well as having
some clients use fully or partially hosted services, hosted by the
vendor. Clients have control over some parts of the system (such as
adding new users to the site), but not other parts (such as the ability
to generate licenses to use certain programs).
The application runs mostly over proprietary protocols and doesn't
interoperate with any other system except through gateways that
speak the application-specific protocols on one side and whatever they
need to on the other side. So I've no particular huge need to follow
standards, except inasmuch they make life easier for me and add a bit
of shine to the marketing materials.
Amongst these systems, no client trusts or interoperates with any other
client; essentially, each is its own island.
My tentative plan is to set up a three-level PKI, with the vendor's
"master CA" as the sole root certificate trusted by all software and
nodes, and a "client CA" (signed by the master CA) for each site.
Within this, we'd have two basic types of nodes. One is for nodes that
can be authenticated/authorized by the client CA, such as local users of
the system. The other would be for, e.g., server programs, which would
have some indication in their certificate that they're valid to operate
only with a particular client, but also may be signed only by the master
CA, not by a client CA.
Two obvious ways I can see to implement this would be a) to add new
extension fields to the SSL certs for node names, types, which client
they may operate with, and so forth, or b) to simply define some new
fields for the distinguished name (e.g., "O=Client A, Type=User,
Name=j...@clienta.com") and do authorization based on that and who signed
the cert.
Does anybody have any thoughts on either approach, or other approaches
I should consider?
And while we're at it, can someone point me to a reference on the OIDs
used for the various field names (CN etc.) used within distinguished
names? This didn't really seem to be mentioned in the X.501 spec.
cjs
--
Curt Sampson <c...@cynic.net> +81 90 7737 2974
http://www.starling-software.com/
I have always wished for my computer to be as easy to use as my telephone;
my wish has come true because I can no longer figure out how to use my
telephone. --Bjarne Stroustrup
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
