Hi,
here is an idea how to support PIN-based revocation.
We could identify the request (from which a certificate was generated)
via the public key but of cause there are some problems:
1. the public keys of the certificates are not searchable
2. the public keys of the requests are not searchable
3. the public keys must not be unique
The changes would affect:
* OpenCA::REQ (find the public key of the request)
* OpenCA::DB and OpenCA::DBI (two new searchable attributes)
* issueCertificate (must check the public key)
* spkac_confirm, ie_confirm, pkcs10_confirm (must check the public key)
* appReq and confirmReq (must check the public key)
So I think it is relatively easy to fix the three problems. What do you
think? The code for the PIN-based revocation itself is very easy because
we have only to compare some message digests and modify the code for the
RAServer to handle signed CRRs and not signed CRRs (PIN-based).
Michael
--
-------------------------------------------------------------------------
Michael Bell Email: [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email (work):
[EMAIL PROTECTED]
Humboldt-University of Berlin Tel.(work): +49 (0)30-2093 2482
Unter den Linden 6 Fax.(work): +49 (0)30-2093 2959
10099 Berlin
Germany [OpenCA Core
Developer]
http://openca.sourceforge.net
_______________________________________________
OpenCA-Devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-devel
