Guys, I have been thinking about future development for OpenCA and have come up with the following list. I thought I would share them with you to get some feedback before putting them on the "OpenCA Features Request page". What do you think ?
1. Scalability - An indication from the OpenCA team that with a given server and data base OpenCA can manage up to 1,000,000 certificates. This is important for uptake in local government. 2. Command line API to CA and RA functions - This would allow for complex scripts to be written around the OpenCA environment, hopefully paving the way for future modifications. This would also lead to the posibility of XKMS, CMS, SOAP based clients. I suspect the new batch processes are well on the way to delivering this. 3. Automation functions - Automation of regular operations like: CRL production, certificate signing. This is important in production environments where you do not want Operations staff to have to manually produce regular CRLs. 4. On-line CA model option - To accommodate an on-line CA model. i.e. a user can request a certificate and in the same session get the requested cert back. This can be used for "free email certs" or in closed user groups where only certain people have access to the public interface. It may be that this would only work with CA root key in hardware, or a special CA user logged on on a secure terminal to give the environment access to the CA password. 5. Audit logging - Audit of RA and CA operations to a tamper proof signed log. This is possibly a requirement to achive any form of accreditiation. 6. Script/environment validation - A function that ensures OpenCA is running in a "known" environment. Perhaps md5 signature creation (after installation) and run time validation. 7. Function to process signing and encryption keys in one go - OpenCA could introduce the idea of "certificate profiles" where a user "requests" once but gets a "Profile" of certificate types". Secure storage and recovery of encryption keys would be part of this mechanism. The start of this is in the new Batch processes in the form of the "Process". 8. Secure storage and recovery of encryption keys, i.e. optional key backup. 9. Web based OpenCA configuration and management - Enhancing the existing management screens to allow management of certificate roles and extensions, access control settings and node management i.e. a front end to the OpenSSL config files. 10. Improved key lifecycle management - Screens to allow users to renew their certificates, modify DN's etc. 11. Authentication via a third party - The ability to allow a user to request a certificate and authenticate themselves the authentication token is then checked against an independent directory. 12. Accreditation - Achieve Common Criteria/FIPS accreditation ! This is a long way off, but with OpenSSL being pushed through, then it may be possible !!! ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
