On 2006.11.22 at 16:40:27 +0100, Michael Str??der wrote:
Victor B. Wagner wrote:
RFC 2511 defines ASN.1 syntax for putting multiple certificate request
into one message:
[..]
Question is - how widespread is use of this syntax, is there any
real-world CA which understand CertReqMessages sequence.
There are several PKI implementations which support CMP/CRMF (e.g.
Entrust). At the client side I vaguely remember that it was added to
Netscape 6.x. Not sure whether it's still actively maintained in
Mozilla/Firefox etc. Note that CRMF is most times profiled in a
vendor-/project-specific way.
It seems simple enough to support this syntax above openssl binary in
the scripts which process incoming requests.
But is this really
neccessary, or there are good sequirity reasons to require people which
write key generation software to process each certificate request as
separate entity, even if several keys (say signature key and key
encipherment key) are generated simultaneously?
What exactly are you trying to achieve? Implement a CA component which
can deal with any enrollment protocol implemented in clients on earth?
We are implementing a system which contains both CA and client.
Really, our client have to be compatible with other CA implementation,
and our CA with other client.
For some reasons our client often generates both signature key pair and key
encipherment key pair simultaneously.
I'm trying to understand what is better - push people which implement
other CA we are to interoperate to to support CertReqMessages telling
them that it is in RFC, so it ought to be supported, or tell people
which implement our client to not rely on its support.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
