RE: [OpenCA-Devel] Minimum key size for PKCS#10 requests

Fri, 25 Feb 2005 06:06:48 -0800 

Martin,

I think it is a good idea. I would like to see it be in the 0.9.2
branch.
I have a local modification to this function where it will enforce the
attribute type but not the value. For example I want my users to have a
dn with this kind of structure DN: CN=someName, OU=someOU, L=" Any
locality", ST=VA, C=US
 What my mod does, it checks for these attributes and if I have
DN_TYPE_PKCS10_3 ="ANY" it will check that this attribute is there but
it will ignore its value, so now I can have any locality I want while
still enforcing the rest. If you guys think that this is a good Idea
then I could submit it to the CVS.  

Best regards,
Bahaa Al-amood


the function checkPkcs10_req in pkcs10_req performs some checks on the
DN of an incoming PKCS#10 request.

I would like to add an additional check that compares the keysize of
an incoming request against a configurable minimum keylength (in order
to prevent 512 Bit requests).

This would require a few additional settings in etc/servers/pub.conf.
Idea/example:

DN_TYPE_PKCS10_ENFORCE_MIN_KEYLENGTH "NO"
DN_TYPE_PKCS10_MIN_KEYLENGTH "1020"

(a few bits less than 1024 to allow for fuzziness with leading zeroes
in the modulus).

Question: should I submit this extension to the 0.9.2 branch or should
I keep this change as a local modification for our project only?

Martin



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=ick
_______________________________________________
OpenCA-Devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-devel



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
OpenCA-Devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-devel

Reply via email to