LE CORVIC Y InfoEdpEtcDep wrote: > Hi Hi,
> We are currently working on a prototype of PKI.
So are we ... :-D
> I would like to know a couple of things :
>
> - Is it possible to generate the first keypairs directly on tokens to give
> the users without them having to do anything ? This would be useful to get
> them started swiftly.
It depends on what do you mean by it. If you mean the token to be initialized
within your organization and then the user simply come and get it the answer
is : it depends on the policy you are referring to. You have to keep in mind
(and many forget this) that the PKI is based on a trust path between the user
and the CA.
You can do whatever you want to but it MUST be clear what you are going to
do in your policies and that document should be available to everyone.
Usually you want to register your own OID for your organization to reference
it within the certificates.
> - Is there a way to backup private keys from tokens used by users ?
If the tokens allows to backup keys, yes. But frankly I really would discourage
it because of the fact that the more copies of the keys there will be, the more
the chances for the cracker to come in touch with it.
Anyway it depends on the usage you issue the certificates for. Also it depends
on what it is written in your policies.
> - Is there a way for users to just send a certificate request without them
> generating the key pair ?
Yes, make them simply fill in a simple form... in OpenCA, actually there is not
this possibility but it could be possible to add it into the wishlist.
--
C'you,
Massimiliano Pala
--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL PROTECTED]
http://www.openca.org Tel.: +39 (0)59 270 094
http://openca.sourceforge.net Mobile: +39 (0)347 7222 365
smime.p7s
Description: S/MIME Cryptographic Signature
