Hi Martin,
Martin Bartosch wrote:
I would like to implement a function sign_object. Everyone can sign a object to signal that he verified the object. This has nothing to do with the state APPROVED. This way of using signatures allows the old style management (only issuing certs from approved and signed requests) but it supports much more things too.
A RA operator can sign a pending request for a CA operator certificate to signal a CA operator that the data in the request is checked. Nevertheless only a CA operator can approve the request. The idea is to allow much more detailed and flexible policies.
sounds good. I remember discussing something similar in November last year or so. Just make sure the signature is just one possible way of adding a 'approval' for a new state. There will be situations where policy demands an environment where signatures are not desired.
In fact, the approval has nothing explicitly to do with the signature any longer. The signature protects/commits the data. The approval signals a state. So a signature does not add a 'approval'. It only protects the data against manipulation.
Michael -- _______________________________________________________________
Michael Bell Humboldt-Universitaet zu Berlin
Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice Fax: +49 (0)30-2093 2704 Unter den Linden 6 [EMAIL PROTECTED] D-10099 Berlin _______________________________________________________________
smime.p7s
Description: S/MIME Cryptographic Signature
