Hi Michael, >> * OpenCA uses the CA certificate for signing the cert Role. (BTW: >> openca-sv does use the CA cert regardless of its key usage >> bits - and can create invalid signatures this way!) > > We enforce this because we had no other solution.
I see... :-) >> * I may be wrong, but I think the signature on the Role does not >> add any security, because the clear text seems to be only the >> Role name, making it possible to copy the signature and use it >> for another certificate. > > This is not correct. We always sign the role and the serial of the > certificate. I noticed - I missed the serial number, sorry. >> To sum this up I think that using the CA cert is a bad idea >> and that it should either be possible to switch it off or at least >> to specify a dedicated CA auxiliary certificate that is issued >> by the CA when setting up the system and then used to sign such stuff. > > I have a more radical question, does somebody believe that a signature > on the role results in any additional real security? I do not think so > because the major source of the role is always the CA and if a > manipulation was made on the way to the database (perhaps of another > node) then the CA cert can be manipulated too. I also do not think this mechanism adds any additional security, but I did not dare propose to drop this feature. :-) > If we can agree on this then we can remove these signatures which > reduces the CA key usage dramatically. This reduces the number of > several possible error sources too. The dataexchange can be protected > seperately and if the database is not trustworthy then the > infrastructure is always broken. > > This would increase the stability of the 0.9.2 release too. The "only" > important question is, does this have any impact into our security? I agree, and I do not think that it influences the security. Tight host security is a must, of course, but this is normal for such applications. Martin ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
