I am afraid I have not found adequate documentation that I can use to
guide me in editing the contents of openssl.cnf. The comments within
the file do not tell me enough about good values to use for the
different options that are available.
Here are my objectives:
1) A single certificate authority, used by multiple registration authorities.
2) Support for generating client side certificates, in response to a
request made by a client through a form that contains the keygen HTML
tag (and after a series of challenges and responses to verify
identity), with the following properties:
a) requires a password every time the client uses it
b) supports, with the corresponding private key, encryption and
signing of the contents of the fields of the form which is accessable
only by using the certificate, (to support non-repudiation).
c) a client may have multiple certificates permitted by multiple
registation authorities, with different IDs (for access to different
accounts, so a client may have multiple IDs even from the same
registration authority, but for access to different accounts), and the
question becomes how to ensure the client uses the right certificate
for each account. But at the same time, few of the clients in
question are part of any particular organization.
And related questions:
1) Given that I'd like to store a copy of the certificates' public
key, in a table which maps the certificate to the user's IDs, a) what
data type would be most appropriate, and b) if I have a web page into
which the user can enter the client's ID and paste the contents of a
file that has allegedly been encrypted and signed by the client, how
do I verify whether or not it was, in fact, signed by the client and,
if so, that the document has not been altered?
2) I was reading, in various places, that when the keygen tag is used,
the user is presented a dialog that lets him select the strength of
the key, so how can I ensure that the client's use only the strongest
level of encryption available?
Can anyone either tell me how best to do this, or point me to an
online resource that explains how to do this, and more?
Thanks
Ted
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
