Hi Alex, Until recently, I thought, that smartcard personalization is a special procedure to work around RA, during initial massive admittance of a crowd of new users. And that this procedure acts according to the database of HR.
1) HR database is prepared in advance, and has special flags which describe rights of each user in a PKI. 2) A user visits HR, shows his face and ID, then HR girl gives him a brand new sealed card. 3) A user inserts this card into a special computer, while the girl types into in his unique name and her credentials. Thus the girl acts as if an RA officer, who approves his CSR. With the exception, that no CSR is set during this procedure. 4) Special computer contacts CA with this info. CA knows about special status of this very computer and about status of HR girl. CA looks into HR database, reads flags about this particular user, and issues certificate. All happens without CSR and without need to teach a crowd of newcomers, how the whole procedure works. Now I understand, that you created something different, which I failed to understand what it is even after spending some time for reading the code. Nonetheless, do you think that above scenario could be worth to implement for practical use? All the best, Sergei Alexander Klink wrote: > Hi Sergei, > > On Thu, Jul 05, 2007 at 01:05:40PM +0400, Sergei Vyshenski wrote: >> But personalization should be run from one computer only, correct? >> Which is located in the HR department or such, and hold Win+IE. > Not necessarily. The nice thing about the > is that it can be done by the users. Here, the users just receive > their blank USB token, log in to the smartcard personalization and > personalize the smartcard themselves ... Of course, you can still do > this from one PC only, but it means you have to either give users > access to the PC for that purpose or let someone from HR do it (which > would mean that this person has access to the certificate and private > key for a while). > > Best regards, > Alex ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ OpenXPKI-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-devel
