i think, this topic should be discussed here too not just at the users list ;o)
greetings dalini
Michael Konietzka schrieb:
Chris Covell wrote:
Michael,
On Wed, 2004-05-19 at 11:32, Michael Konietzka wrote:
Ok, but how should I handle the different keyUsage in certification process?
The OpenCA way of doing this is to have a different "Role" for each certificate type. So I would have a "Sign" role where the key usage is set to: keyUsage = nonRepudiation, digitalSignature extendedKeyUsage: TLS Web client authentication, E-mail protection
and a "Encrypt" role where the key usage is set to: keyUsage = keyEncipherment, dataEncipherment, keyAgreement
OK, done it this way using two different roles and it worked. But I am using for both certificates the client-side generation. Michael Bell said, for key recovery of the decryption certs i should use the batch processor. So i will check this out.
In my PKI I'll have two User-Roles: User-Sign: where the keys are generated in the browser. User-Enc: where the keys are generated with the batchprocessor on CA
Using the batchprocessor(bp) in RC5 works fine for generation and enrollment of the pkcs12 on the CA.
But at the moment I have no "nice" workflow for handling the batch_new_process.txt batch_new_user.txt batch_process_data.txt files. I feed them "semi-manuell" which is no ideal solution.
My idea is to automatically feed the bp with data from the already generated User-Sign certificates. To do this I will lookup the certificate-Table for valid certificates with role="User-Sign". The cert-key of those User-Sign certs will be the user_id for the bp. The process-data for the User-Encryption cert can be the same data as the fields CN, Email stored in "certificate"
With these generated batch_new_process.txt, batch_new_user.txt, batch_process_data.txt I ll start the batchprocessors to generate keys and certifactes for the role "User-Enc".
To distribute the PKCS12 and the PIN one can use the User-Sign- certificate to generate an encrypted email like the CRIN-Email. The certificate for encryption then will be certifacte #$USER_ID because the user_id is the cert_key of the User-Sign certificate.
Advantage: + "One step" for a User to get the two certificates. + Using already RA-approved user-data for the batchprocessor. + PKCS12 and PIN can be transfered via encrypted email.
Disadvantage: - Using a User-Sign certificate for encryption, but the CRIN-Mails are doing this anyway. - ?
Does anyone see some mantraps or failures in this workflow before I start configuring and coding.
Best regards Michael
--
Ives Steglich Email: [EMAIL PROTECTED]
System Administration Tel.: +49 (0)3677 - 69 4882
Fax: +49 (0)3677 - 69 4399Fraunhofer Institute for Digital Media Technology Langewiesener Strasse 22 98693 Ilmenau Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
OpenCA-Devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-devel
