Martin, On Tuesday 13 July 2004 15:34, Martin Bartosch wrote: > this is actually a very good summary of some missing key features. > I have some additional feature requests and ideas (see bottom of > this mail). I shall comment on your comments !!!
> > 9. Web based OpenCA configuration and management - Enhancing the existing > > management screens to allow management of certificate roles and > > extensions, access control settings and node management i.e. a > > front end to the OpenSSL config files. > > Sounds like a *lot* of work. I am fine with today's XML based > configuration. I don't like the template -> config file hack much, > though. I was not thinking about the OpenCA installation, but a web interface for the OpenCA Roles (or certificates types), e.g. to configure the key usage of a Encryption Certificate Role. > 13. Automated CA Key rollover > When reaching the end of the CA certificate lifetime, there is > a certain point after which no usable end entity certificates > can be issued whose desired validity *fully* fits into the CA > certificates validity. > > To address this problem, we issue a rollover certificate that becomes > valid when reaching half of the CA certificates validity range: > notBefore(new) := notBefore(old) + > ((notAfter(old) - notBefore(old) / 2) > > New certificates are *always* and *only* issued using the "newest" > CA certificate available. After rollover happens (automatically by > reaching the "NotBefore" date of the new certificate) the old > one still remains valid and is *exclusively* used for CRL > generation, revocation etc. > This ensures that you will always be able to issue certificates > with a lifetime up to half of the "standard" CA certificate > lifetime. > CA operators need only remember to issue a new rollover > certificate within the first half of the currently used certificate's > validity. > BUT the CA software has to be able to deal with this. Yes, this is a good long term idea. I am glad we are all thinking of 5 to 10 year PKI lifecycles !! > > 14. Improved debugging support > I frequently get lost in the system when trying to debug things, > often I wonder what functions get executed by OpenCA, the CGI > system seems very opaque to me (and I consider myself an > experienced Perl hacker) > Yes, I am not sure how this could be worked into OpenCA though, it is probably linked in to your sugestion 15, below. > 15. Improved error handling > I have seen OpenCA report crude error messages on seemingly > harmless error conditions. When checking the code it was > often something like an uninitialized variable that was > used to call a method on. Yep, good idea. Chris... ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
