Hi Martin,
To sum this up I think that using the CA cert is a bad idea and that it should either be possible to switch it off or at least to specify a dedicated CA auxiliary certificate that is issued by the CA when setting up the system and then used to sign such stuff.
I have a more radical question, does somebody believe that a signature on the role results in any additional real security? I do not think so because the major source of the role is always the CA and if a manipulation was made on the way to the database (perhaps of another node) then the CA cert can be manipulated too.
I also do not think this mechanism adds any additional security, but I did not dare propose to drop this feature. :-)
Hey, I'm not a guru. I'm learning by doing too - so it's a good idea to not always waiting for or asking me ;)
If we can agree on this then we can remove these signatures which reduces the CA key usage dramatically. This reduces the number of several possible error sources too. The dataexchange can be protected seperately and if the database is not trustworthy then the infrastructure is always broken.
This would increase the stability of the 0.9.2 release too. The "only" important question is, does this have any impact into our security?
I agree, and I do not think that it influences the security. Tight host security is a must, of course, but this is normal for such applications.
Ok, then I will remove the signatures. BTW this speeds up the batch system dramatically because it reduces the number of RSA operations.
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
