Hi all,
actually we protect objects after an approval with signatures. These signatures are used in two ways. First they protect the data and second they signal the state. I want to do the following:
1. store the signatures in a different table
2. allow the signing of every data object
3. approval and signatures should be divived (even pending requests can be signed to protect them)
I would like to implement a function sign_object. Everyone can sign a object to signal that he verified the object. This has nothing to do with the state APPROVED. This way of using signatures allows the old style management (only issuing certs from approved and signed requests) but it supports much more things too.
A RA operator can sign a pending request for a CA operator certificate to signal a CA operator that the data in the request is checked. Nevertheless only a CA operator can approve the request. The idea is to allow much more detailed and flexible policies.
This is perhaps a real core and philosophy change but actually I'm reading "The art of unix programming" and this book brings me to a point where I start thinking about many of our design decisions. The result is a more Unix like way - dividing big commands into several small ones. See CVS HEAD (modules/openca-server/Server/Command/) on tuesday ;)
I hope you can agree with such a change. I do not implement the code for this until now. I want to discuss it first. If we could agree on this then it would makes several things much easier (e.g. multi-role/multi-person approval).
Michael -- _______________________________________________________________
Michael Bell Humboldt-Universitaet zu Berlin
Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice Fax: +49 (0)30-2093 2704 Unter den Linden 6 [EMAIL PROTECTED] D-10099 Berlin _______________________________________________________________
smime.p7s
Description: S/MIME Cryptographic Signature
