Massimiliano Pala wrote:
>
> Michael Bell wrote:
>
> Can you update the export-import.lib into the openca-0.8 tree ??? I will update
> the public
> conf file adding the RBAC_DIR and EXT_DIR
Done.
> Why don't you plan making an E/R schema as you are implementing the
> DB into relational database ? This would simplify your life in setting
> all the foreign keys and references and obviously other people in
> understanding your schema.
I could setup an ER-Schema but I don't implement actually all the
foreign keys in the database-tables but perhaps I should. So do you know
a free tool which is available for everybody for free?
> I would add "SERIAL + DN" => "Role + Signature" to double check what is
> being addressed by the role management system. I would code this using
> the RBAC module without the usage of the DB/DBI module: the usage of a
> simple HASH file (as the DB module does) should fit and it should be
> faster than a complex DBMS for this simple storage functions.
I don't include the DN because you can search for the role via DN or/and
serial if necessary via searchItems.
Another OpenCA-user wrote in an earlier mail that the uniqueness of the
DN in OpenSSL is declared as a bug. So perhaps the DN is not unique
forever.
Here is a small update. I code the role and the signature of the role
and the serial into the header of the certificates. All parts of the
RBAC are now stored in the filesystem. The structure is on the CA:
conf/rbac/
roles/ (only names, only present on the ca)
rights/
operations/ (only names, only present on the ca)
scripts/ (configurations and signatures of the scripts)
modules/ (only the names, only present on the ca)
The operations, roles and modules cannot include the string "--00--" but
I think this is acceptable.
I prepare actually a sample configuration and start testing.
> we could have the role management just on the CA computer (which should
> be safer as it should be network disconnected) and have the roles just
> imported and accessed in reading by the RAServer. The roles would
> become a sort of "CRML" Certificate Role Management List (as CRLs..)
> carrying SERIAL, DN, and Signature for that entry by the CA.
I never want to edit the ACL outside of the CA.
> > The actual module OpenCA::DBI (v0.4.0) supports the column ROLE for
> > CERTIFICATE and REQUEST (not for CA_CERTIFICATE). The column is
> > searchable. The column ROLE in CERTIFICATE is only present to avoid
> > changes on the table if the solution one is choosen. The column
> > ROLE_SIGNATURE in CERTIFICATE is only present to avoid changes on the
> > tables if we decide us to sign every pair role and serial.
>
> I would separate role management from the DB (of X509 objects).
Why? The role is an attribute of the certificate.
> Another solution for the storage of the Role Information would be adding
> them to the LDAP tree and search them there. The only problem with
> this approach is that on misconfigured systems (not so difficult to
> find... ) these information could be public available (or worst writable!).
Not every user uses LDAP!
> >
...
> > * show_prepared_section
>
> can you remove them from the cvs tree (including the related unused
> sheets if any) ??
Yes, I will.
Here is the right position to make another important statement.
OpenCA::OpenSSL::Configuration and OpenCA::RBAC are no longer needed.
OpenSSL is too complex to configure it in a safe way via a webpage and
the RBAC-module is simply no longer needed.
> > Finally a security related question. Are the headers of the objects
> > protected? I think that the headers are not signed and so they are
> > insecure. Is it neccessary to add signature for every relevant
> > header (crr, request and certificate not ca_certificate)? If such a
> > signature is neccessary then it would be better to implement now
> > empty fields in a database than later have to alter tables.
>
> I am not sure this is really needed, in the header there are only
> data for the searching (at least in the DB module) and as I can remember
> the important data is get from the object parsing.
After I code the role into the header there is an information which must
be protected. So I add another attribute (a signature) to the header
which protects the role and the serial. I implement some changes to the
module X509 to support multiline attributes and the adding of attributes
to the header but this works only with PEM-certificates but this is no
problem because we actually use only such certificates internally.
> > If we have to sign the headers then we could store the role in the
> > header of the certificate and must not store an extra signature only
> > for the role. (We must only grant then that we are not faked with
> > different headers and certificates which is relatively easy to
> > implements via the serials.)
>
> Keep in mind headers are only used internally -- and not accessible by
> externals (only RAServer Operator and CA manager should access them
> phisically when exporting/importing requests... )so I would not address
> this as a real issue...
The roles are not needed outside the CA or RAServer.
> > P.S. the attachment extracts to OpenCA/
>
> The files contained into the archive should be added to the original
> openca cvs tree or what ?
No, the attachment was only for information I add all the code by myself
to the CVS if the code is ready for publishing.
Cheers,
Michael
----------------------------------------------------------------------------
Michael Bell Email: [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email (work):
[EMAIL PROTECTED]
Humboldt-University of Berlin Tel.(work): +49 (0)30-2093 2482
Unter den Linden 6 Fax.(work): +49 (0)30-2093 2959
10099 Berlin
Germany [OpenCA Core
Developer]
http://openca.sourceforge.net
S/MIME Cryptographic Signature
