[OpenXPKI-devel] Online/offline separation

Tue, 23 Oct 2007 04:06:06 -0700 

Hi all,

As there are some people who are interested in the online/offline
separation as in OpenCA, I've just discussed a few ideas with Martin
on how to handle this.
Here are our ideas (based on the CSR/issuance workflows):
- the online and offline workflows have different workflows, the
  online machine deals with the approval, and exports after persisting
  the CSR (via an activity, based on the one in Tools/Export.pm).
  It creates a so-called random "sync cookie" which is stored in the
  workflow and thus exported to the offline machine, too.
- on the offline machine, an import API method is called that checks
  for files that are to be imported. If no workflow with the given
  sync cookie and workflow type exists, a new is created with the
  parameters from the original workflow context. If a workflow with the
  given sync cookie and type exists, an import activity is called on it.
  The import activity takes the current workflow context as a parameter
  and which workflow context parameters to import as a configuration
  parameter. In this way, one can for example only import the
  certificate from the offline machine into the online machine workflow.
- The sync cookie can be used to group together workflows that belong
  together. In the CSR/issuance example, the CSR workflow would export
  to the offline machine, creating a new workflow there, where an
  issuance workflow would be forked. The cert issuance workflow exports
  back to the online machine, creating a new workflow there. We now know
  that the offline machine CSR and issuance workflows belong together
  because they have the same sync-cookie.

I believe this is flexible enough to deal with future cluster
situations, too. Any objections? If not, I'll start implementing it
today.

Best regards,
    Alex
-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer
        [EMAIL PROTECTED] | working @ urn:oid:1.3.6.1.4.1.11417

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
OpenXPKI-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-devel

Reply via email to