Re: [Openca-Users] Is PIN code stored in RA or CA database?

Wed, 23 Feb 2005 00:56:23 -0800 

Hi Dalini,

First of all, thanks four your help. However, I still have some
doubts. Probably I didn't explain myself very well. I'll try to do it
better now:

In my opinion, there are 2 main kinds of requests 
a) the ones that involved keys and CSR generation by OpenCA (server
side generation and also browser side generation). Usually we use them
for users request.
b) the ones where this proccess is done in a server and a CSR is
imported to OpenCA through the public interface. They are used for
server certificates.

In both situations, a PIN code it's required. I can undestand the
reason why it's needed in case a) (as a passphrase for encrypting the
private key), but I don't know why is neccessary in case b) (no keys
or CSR are generated).

Therefore, my doubt is the following: is it stored in any database? In
case it isn't, I think you could only use it for authentication in
case a), because the only way to check if a given password it's the
same as the PIN code introduced when you made the request it's to use
the private key. Am I wrong?

What I need is to use the PIN code provided to authenticate an user so
that he cuold download his certificate in case b) (imported CSR and no
keys generated by OpenCA).

Thanks again.

Regards,
Manolo





On Tue, 22 Feb 2005 18:19:00 +0100, dalini <[EMAIL PROTECTED]> wrote:
> Manolo G�mez wrote:
> 
> > This behaviour is OK for user requests, but has nosense for server
> > requests because in that case  the encpryted pair of keys and also a
> > CSR has already benn generated in the server. Why is needed to give a
> > PIN code? Is it used?  Is it stored anywhere? Can I use it later for
> > any kind of authentication?
> >
> exactly it can be used for authentication purposes
> at the registration node interface there is a option
> called: verify pin, where an ra-operator may have the
> ability to verify the request (basicaly it opens a extra window, where
> one can submit the pin two times - as password input fields, so its
> asterixed)
> 
> for example: the requester has to go to the ra operator and provide his
> pin in a webform - the openca-system then will compare the request pin
> against the provided password and tell the ra-operator if they match or
> not (he won't see it, only if he follows the fingers on the keyboard of
> the person ;)
> 
> so it may be possible, that a workflow requests that serveradmins show
> up at the pki help desk to confirm there request... and this will work
> with that option
> 
> available only in 0.9.2 series
> 
> greetings
> dalini
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_ide95&alloc_id396&opclick
> _______________________________________________
> Openca-Users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openca-users
>


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to