Martin Bartosch wrote:
ok, i see the motivation - and i would suggest, for such cases to use the idea of reusing the user-pin from the request, so the user knows his pin already and doesn't need to get send a new oneThere is not necessarily something wrong if no user cert is available: 1. The user might not yet have a certificate (bootstrap problem) 2. The mail system used might not be able to support end-to-end encryption (either because of technical limitations or because of policy decisions). E. g. Lotus Notes systems often use proprietary end-to-end encryption, and it is really painful to add end user certificates into such an infrastructure. 3. The user might not order a client cert for himself, but rather a system certificate e. g. for an SSL server
But you are of course perfectly right, PINs should not normally be mailed in the clear. However, in test environment and in certain cases for server certificates this is acceptable, so I think a configurable option (default off, with big fat warning above...) might be useful.
There are even infrastructures where it is impossible to provide users with client certificates.
this may require some harde checking of user-pins to keep them at a reliable level (at the moment they have to be 10 chars long, but no other forced checks are done so far)
at the moment you can just hard switch between the behavior - either user pin gets reused or user-pin get generated, it may be useful to make this more dependet to the kind of request or so...
but i think at least this is a way i would prefer instead sending pins, but it should be not to heavy to make this possible to on a configurable base, and switch it of per default like mentioned
there is an configuration option to send mails automaticaly (config.xml) but this works only if you use ex- and import i think so if there is no ex/import steps this don't get called automaticaly during the importprocedure
OK, understood.
but it should be quite simple to build a little script, like for the ra-operator information - which can be called an a regualr base (cron), which checks for new mails and send them to the users
actualy the script is there, just some minor changes are necessary to
call it 'standalone' and strip the html output (for the usermails, if no imports are done) but i won't promise to much
greetings dalini
--
Ives Steglich Email: [EMAIL PROTECTED]
System Administration Tel.: +49 (0)3677 - 69 4382/4383
Fax: +49 (0)3677 - 69 4399Fraunhofer Institute for Digital Media Technology Langewiesener Strasse 22 98693 Ilmenau Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
