Re: [OpenCA-Devel] Improved SCEP interface

Tue, 02 Aug 2005 01:55:00 -0700 

Hi,

> so if I see this correctly the new scep script adds new functionality
> AND does everything it has done before - meens it is a drop in
> replacement for the old script ?

umm, yes, if it is configured to work so, it will work just like
the old script.
BTW: an older version of this script has been in test (preproduction)
use in my environment for some months now, but we currently do not
experience high load on the SCEP interface.


> Martin, you said it is "slower" - acedemic slower or practical slower :)

I guess practically, but I haven't performed benchmarks on this.
Michael is *very* concerned about performance and the additional
latency introduced by the script.

Currently it involves at minimum instantiating an additional OpenCA::REQ
object and some additional database queries for each request, but
it should be possible to modify the code to exclude these steps
if the configuration is really 'barebone'.
So, yes, it is possible to modify the code to make it behave with
the same performance and the same feature set than the old code.

But a really bad hack is included to parse the SubjectAltName from the
incoming SCEP PKCS#10 request: this is currently not supported by
the OpenAC::REQ module, so I had to use the OpenSSL binary for this.
This must go away in a later release, but for this I will have to
write the stub code in the .xs file for the request parse class.

> If I assume right - my Opinion: make the new scep script the default and
> keep the old one in the tree as ".old" so that people how absolutely
> wont update can simply use the old script.

I don't favour the idea, but if the other developers agree and positively
support this, I will make the necessary modifications to the code to
make it fit for 0.9.2.

Opinions?

Martin




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
OpenCA-Devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-devel

Reply via email to