> Brian Coghlan wrote:
>> Hello, I have been using OpenCA 0.8.1 for our grid CA software,
>> and am now looking at porting to 0.9.2
>> What is badly needed a semi-automatic renewal mechanism, where:
>> (a) the subject is told somehow, near expiry time, that
>> they may renew.
>
> This is actually implemented as warnExpiring
>
> --> node interface
> --> utilities
> --> warn expiring certs
Good, but I was allowing for a possible challenge to be
included in this notification. Would this be difficult ?
>> (b) the subject connects to the public server, and a new
>> cert request is created with the same DN, plus a new
>> private key is generated.
>> [note that (a) & (b) might involve challenge/response
>> (c) the old cert is revoked and a new cert is issued
>> I am having difficulty establishing exactly what support
>> is there in OpenCA that could be used for such a renewal
>> mechanism.
>> Could you suggest what you consider the best way to do this ?
>
> First some questions:
>
> 1. It looks like you need no userinteraction until you roll out the
> certificate. Is this correct?
No, I'm sorry, I didn't mean to imply that - the user could be
required to go to webpage(s) - in fact that was what I had
imagined would be required if challenge/response was invoked.
> 2. Why do you want to revoke the old certificate? This results in big
> CRLs if you have many customers - and grids should be really big.
Quite correct, they could just be allowed to expire, but then there
is the problem of 2 certs with the same DN [but different serial
numbers?] overlapping in time.
What do you suggest doing about that, given one is using OpenCA ?
> 3. If the process is nearly full-automatic why do you want to warn the
> users before expiring?
Because it cannot be automatic in that sense - the CP/CPS conditions
must still be met for the cert to be renewed [as a minimal example,
the details of the user's DN should still be valid], and this should
be confirmed by the user themselves, at the very minimum, and the
confirmation would preferably be signed with the expiring cert.
Whatever processed the confirmation would need to verify the
signature [and any challenge/response].
Given that, what would you suggest ?
Also, is there some existing combination of forms/pages/functions
that you feel would be a good basis ?
> If I would have to implement such a renewal process I would think about
> using and customizing the batchprocessors. Perhaps the processors are
> not exactly what you need but it should be possible to adapt them to
> your needs.
Yes, I looked at that, but the documentation was so scanty it seemed
sensible to ask you.
Is there better documentation of that somewhere, or a good reference
example, or is it a case of examining the code ?
Thanks for the propmpt response
Brian
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
