> Chris Covell wrote: >> Hello there, >> >> On Mon, 2004-05-17 at 15:28, Michael Konietzka wrote: >> >> >>>The user should do enter his data once and he gets a x509-cert >>>for his signing cert and a pkcs12 for his decrypting cert. >>> >> >> >> OpenCA does support this, but you will need to generate each key pair >> separately. >> >> 1. If you use the standard request for the signing key then the keys >> are generated on the client. >> >> 2. Then if you use use the basic request the keys are generated on the >> RA. >> >> I think this gives you what you are after, but it requires the user to >> make two requests. > > Ok, but how should I handle the different keyUsage in certification > process? > > A user-certficate(sign) for E-Mail-Signing, non-repudation, Client-Auth > should have another keyUsage than a user-certificate(enc/decryption) for > email-encryption. > > A sign-certificate have the following keyUsage: > keyUsage = nonRepudiation, digitalSignature > extendedKeyUsage: TLS Web client authentication, E-mail protection > > A encryption/decryption certificate has the following keyUsage: > keyUsage = keyEncipherment, dataEncipherment, keyAgreement > > Should this be different roles for example "User-sign", "User-encrypt" > within one CA > or should I setup two CAs each with one "User"-role, but the role has > different keyUsages on the two CAs? > > +---------+ +----------------+ > | Root-CA |-+--| E-Mail-Sign-CA | User: keyUsage: > +---------+ | +----------------+ nonRepudiation,digitalSignature > > | > | > +--+----------------+ > | E-Mail-Enc-CA | User: keyUsage: > +----------------+ keyEncipherment, > dataEncipherment,keyAgreement > > When using two CAs there should be a seperate RA/PUB-Interface for each > CA.
If you want to use key recovery then you can use the batchsystem which explicitly supports key recovery. The batchsystem creates encrypted keybackups, PINs and PKCS#12 files. The batchsystem of 0.9.2 is statedriven. The keyrecovery system can use an extra key/certificate pair or the CA key/cert to encrpyt the keys. The big disadvantage is that we have to develop a complete new batch system for 0.9.2. So 0.9.1 and 0.9.2 are fully incompatible. 0.9.1 was not flexible enough and not statedriven. BTW I moved the batch stuff to an own interface. So there will be some new things on moday when I publish the next snapshot. Michael ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
