As we plan for an enlarged PKI using OpenCA, we are confronted with some potential problems in data exchange. When data exchange is managed through a single floppy, it seems that the individual operator manually resolves all conflicts. However, as we grow to having multiple RA operators and multiple CA operators with many operating from remote locations, the floppy system will not scale.
We have thus implemented network data exchange but see some problems with potential data overwrites. For example, if all data exchange is through some file stored on the RA such as /usr/local/OpenCA/var/tmp/openca-tar what happens when the RA operator uploads to the file and then the CA operator enrolls to this file before receiving? I would imagine the file will be overwritten and the RA operator will wonder why their requests have not been processed. Is this a legitimate concern? To counter this problem, we thought we would use two separate files, one for upload/receive and another for download/enroll. Is this an appropriate solution? This means the file target for EXPORT_IMPORT_DOWN_IMPORT is different than EXPORT_IMPORT_DOWN_EXPORT, for example. However, it appears that there is only one @__DEVICE__@ variable for both. Is it possible to create user defined variables in the servers .conf.template files? Is it possible to define these variables in config.xml like the @__DEVICES__@ parameter is defined? Even if this works to eliminate the overwrites described above, we see yet another possible problem. What if two CA Operators, for example, enroll data to the same RA? Is data lost? I suspect not. Does the enrolled tar contain all data and the RA sorts out what is new and what is already in the database when it downloads? Or does the enrolled tar contain only limited information and accidentally overwriting it with a second enroll from the same CA will actually lose data? Thanks for all of you for your help. We hope to turn this lose in production within a week or two - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 [EMAIL PROTECTED] If you would like to participate in the development of an open source enterprise class network security management system, please visit http://iscs.sourceforge.net ------------------------------------------------------- This SF.Net email is sponsored by Yahoo. Introducing Yahoo! Search Developer Network - Create apps using Yahoo! Search APIs Find out how you can build Yahoo! directly into your own Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
