[OpenCA-Devel] Certificate Chain storage and "foreign" PKI trust relationship

Thu, 21 Jul 2005 03:35:13 -0700 

Hi,

discussion split from the CRL serial thread:

>> Other thoughts:
>> We need some way to express certificate chains. An entry in the
>> CERTIFICATE table could include a reference to the issuer certificate
>> in the same table. Selfsigned certificates could point to themselves.
>> This also means that the table can contain certificates that are not
>> assigned to an internal CA (CAs outside the OpenCA installation's
>> scope).
>
> Do you want to import a complete PKI from another CA? I remember that
> you need this for management issues (one PKI for operator certs and one
> PKI for user certs). The serials are really problematic because they
> cannot be unique. Perhaps we must defined the primary index on another
> base (serial + external ca).

Hmm, this is one issue, but I was thinking more along the lines of
e. g. creation of PKCS#12, Java Keystores or SCEP. In all these cases
we need to create a certificate chain (up to or even including the Root
CA), and this is currently really not optimal in 0.9.2.
I'd love to have an internal function that simply gives me a Perl
Array containing Certificate objects with the complete chain for
a certificate.

Storing foreign Root CA certificates would be useful, too.
The first step would be the possibility to import an arbitrary number
of foreign Root Certificates. At first nothing should happen with them,
they are just imported to the database.
Now we could extend signature verification to have a configurable
subset of the available Root Certificates in the database which are
to be trusted for signatures.
Presto, automatic and fine grained cross-PKI trust relationship,
maybe even different across (External) CA instances!

Just an idea, but I think it's quite orthogonal :-)

cheers

Martin



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel

Reply via email to