I have seen that OpenCA 0.9.1 doesn't have any log interface. It's not possible to audit who has done what and when. I need that every operation at the CA is logged and signed by an operator, because then I can audit the system and know who has done what and when. Let me give an example:
A certificate is genarated, but then we discover that the person who asked for the certificate was forbidden to have a certificate in our chain. Or a certificate was revoked and it shouldn't have been revoked. So, we need to know who did the operation, which CA operator, in order to punish him/her.
Have you thougth and done anything in this way? What kind of logs are already implemented in OpenCA? I found just export/import data logs.... Which operations can the CA Operator sign? I've seen only operations at RA that can be signed by the RA Operator....
OpenCA 0.9.1 has no log concept (only the DBI module does some logging). OpenCA 0.9.2 is the first version with a logging concept. So it looks like I have to explain our concept which is not fully implemented in 0.9.2 until now.
1. Signatures ------------- OpenCA uses signatures only for the following things:
1. login (if you login with a certificate, e.g. with a smartcard) 2. for the protection of approved requests (CSRs and CRRs) 3. for the protection of our logs 4. for the protection of header fields of certificates
3. is not implemented or tested until now because you need a hardwaretoken for this and I have no such token until now. Also there must be a protection against log removal (e.g. it must be detected if entry 4 and 1003 are removed). This protection must support high loads and parallel entries.
2. Logging
----------
OpenCA writes a logging message for every operation on an interface. The messages are connected by session IDs. If you find an operation then you can inspect the whole session of the user. Until today the object keys are not logged. I will implement this in january. It is quite simple because we must only store the CGI params key and serial in the message.
If you think that we should log other data fields too then please write a mail.
Summary
-------
If you need an exact proof that an administrator does a mistake then you must use smartcard logon via a webbrowser. This identifies the operator which performs an operations.
In the future there will be support for signed logs too but this is at minimum three or four months away (this is an optimistic guess).
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
