-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've been working on a similar project. My approach, with notes, is:
- - JSP front-end. This isn't so much for the forms as for the results when you search the database - the JSP kicks out XML, but can run it through XLST for browsers and clients that don't natively support XML. - - the datastore is PKI-enhanced PostgreSQL. This user library allows all certs, cert requests, etc., to be stored as first-class objects and defines "stored procedure" functions that mirror the OpenSSL library. The idea is that the datastore can enforce some CA rules, e.g., before you can insert a new record the signer of the record must be known to the database. (This is a "deferred" constraint so you can add new root certs.) Or if you invalidate a cert, a trigger will invalidate all certs signed by this cert after some date. - - the CA would actually be split into a CA (cert signer only), RA (accepts requests, uses J2EE to allow automation of many requests), and a CertStore (http, ftp, ldap interface to searchable database). These would be separate applications, and could eventually run on different hardware. - - for the actual signing, I was thinking about using a java card! It's slow, but the card can be set to never reveal its private key and you can generate the top few levels of your certs (true root, working root) then toss them in an envelope and then lock them into a safe. Unfortunately, my project is on hold until I finish moving to Portland. I may be able to get back to it early next year, and there's some interest in launching a Portland area colo co-op and this would be one of the founding projects. Do you have a cite for that Gutman paper? I've worked out a database design myself, but would certainly like to check it against his suggestions. Bear -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9vpWdmr0uXf8FxOURAqxjAJsFXZwrSALzXAmb/P5bbnCosqVk8gCfT8Bf 3lNVU8gxYnlHBn/PK6dnEow= =XPQe -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
