Re: [Openca-Users] Multiple Root CA support and ACL groups consisting of explicitly named DNs

Tue, 13 Jul 2004 03:31:13 -0700 

Martin Bartosch wrote:

I was wondering on how to implement the following two requirements: 

Usually this is the begin of a RFE ... :)

1. Create a group of RA administrators explicitly named by DNs (no
   OU or DC stuff)
   Only this group should be able to approve certificates via the RA
   interface.

Background information: these RA officers will be using a SmartCard
for personal identification. These SmartCards are issued by a CA that
is completely unrelated to the OpenCA PKI.

What I want to do now is to explicitly name the DNs of the SmartCards
that should be allowed to approve requests.


This is already implemented. You have to put the CA certificate which
creates these certs to the chain directory and then you have to rebuild
the chain. Additionally you have to deactivate the role mapping.

file:  access_control/*.xml
xpath: access_control/acl_config/map_role --> no

This works only for login and not for signing.

2. Trust a second Root CA (the one issuing the above mentioned SmartCards).
   This should enable OpenCA to accept signatures created by certificates
   from this second PKI in addition to its own.

Is there a way to do this currently? Is it as simple as adding the
second Root CA cert to the chain directory?


No, approveCSR and approveCRR additionally check that the signer's
certificate is in OpenCA's database. If you need this then you must
deactivate the check in libCheckSignature. If you need this then please
write it as a RFE. I think we can make this configurable in the access
control but it is not a high priority issue.

Michael
--
-------------------------------------------------------------------
Michael Bell                   Email: [EMAIL PROTECTED]
ZE Computer- und Medienservice            Tel.: +49 (0)30-2093 2482
(Computing Centre)                        Fax:  +49 (0)30-2093 2704
Humboldt-University of Berlin
Unter den Linden 6
10099 Berlin                   Email (private): [EMAIL PROTECTED]
Germany                                       http://www.openca.org




-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to