Hi
> I just want to know in which cases we would probablely issue exponent 3
> certs.
Keys are created randomly and so it might be possible to create one that
has Exponent of 3
Oliver
--
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basisze
Hello,
there is a very good guide/documentation and how-tos on the sit
http://www.openca.info/legacy/docs.html
If you have any CONCRETE problems you are welcome, but this list is not
capable of telling you all the necessary steps
Oliver
--
Diese Nachricht wurde digital unterschrieben
oliwel's
Hi Caroll,
> I'm working with OpenCA and I'm trying to know how the shipment of emails
> between the nodes of the application works. For example, not yet I have
> been
> able to obtain the shipment of the email witch contains the CRIN of the
> certificate that is generated. In addition when the CA
Hi Sergei,
Firefox behaves differently. It asks for a master password for the site,
which
is empty in our case. But when given empty password, it gives a message
box which says "signature is needed". If I say "ok", it says "can not
parse signature".
I have similar problems with FF 1.0.7 on
hmm a mail from you at 9.11. comes into my mind, saying you will
do that until end of november ;)
Ahh ok - so I have another 11 Month left :)
Sorry but some priavte things occupie my time atm more than planned
Oliver
--
Diese Nachricht wurde digital unterschrieben
oliwel's public key: htt
Hi,
Martin: I think you are still waiting for my patch for the checkboxes
for Multi-Approval, right :)
I missed it again, but think we should include this in the next release
too. The patch was from one of the german universities (dont exectly
remember who sent it) and it works fine for me...
http://prdownloads.sourceforge.net/openca/openca-0.9.2.4.tar.gz?download
Obes, Til wrote:
Hi,
is there a .tar.gz of the version 0.9.2.4+?
I need to setup a production system now, so it
would be nice to have this version.
Regards
Til
--
Diese Nachricht wurde digital unterschrieben
oliwel's
Dear OpenCA Users,
the slides from the latest WorkShop in Munich are now available via the
OpenCA.info website:
http://www.openca.info -> Docs -> Workshop
One of the Use-Case Slides is missing, I hope to receive it tomorrow.
Thanks to all for visiting
Oliver
--
Diese Nachricht wurde digital
Dear Users of OpenCA,
first of all sorry for this slightly Off-Topic post, but I think it is
important for the future of OpenSource and so even for OpenCA...
There is an Internet-election for the "European of the Year" - one of
the candidates is Florian Müller - the founder and main activist
Dear OpenCA users and fellow developers,
I'd like to let you know that I will join Michael in development for
the new OpenXPKI project (see http://www.openxpki.org).
I will extend and refactor the batch-system and started some work on
token-management and key-security.
As Michael and Martin I
Valued OpenCA Users,
I want to announce the (hopefully) stable version of the agenda for this
years workshop.
We have now six interessting Success-Stories in the afternoon:
* Chipcard's and their Role in PKI Systems (Dr. Stephan Spitz,
Giesecke & Devrient)
* Using OpenCA in Business (Rober
Dear OpenCA users,
I want to annouced the updated agenda for the upcoming workshop (17/18
October in Munich/Germany). There are still places left and the dev-team
would enjoy to meet you. For an up-to-date agenda and other inquiries
please visit www.openca.info/news/ws2005.html
We are also s
Hi Edward, Hi List,
1. Board members must/should be active developers.
If we want that the active developers elect the board then we must
define who are active developers.
The reason for making board members active developers is to avoid a
split between the board and the developers. The ris
Hi
anyone of you ever worked on an installer script for OpenCA ?
So I mean some handy cli or curses tool that wlaks through the
config-xml and eases the initial setup ?
Oliver
--
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basiszertifikat:
Dear OpenCA Users,
for those who are new on the list: There will be an OpenCA User Workshop
on 17/18 October in Munich/Germany - see
www.openca.info/news/ws2005.html for details.
I am currently composing the Agenda and I want your opinion.
Current plans for Tuesday:
9:00 to 12.00: Introducti
Hi Micha,
If we use the GPL then there can be companies which change the code for
their internal use. If we use GPL then it is possible too that we
creates interfaces (for servers or modules) which can be used by
proprietary software. So customization is still possible. Only changing
and sell
Hi Michael,
Only a notice for the people who don't read licenses, we cannot use the
pure LGPL because it always talks about a library. So some more detailed
discussion is required.
Hmm ok after looking at gnu.org I think it is no problem just to state
that we consider that "library" is equal
Hi Sergei,
Theory of controlling the complex systems differentiate two types of
the system control:
1) "closed" board. Old board-members elect new board-members.
2) "open" board. ALL community elect new board-members and re-elect
old board-members on a regular basis.
Example of type 1 syste
Board:
>
* Micha, what criteria did you choose to elect the inital members ?
I only looked around who is actually active in the core team. It is only
an initial proposal. We can change without any problems.
ok - I suggest to add Sergei (if he is willing to)
* A "maximum" number off board
Hi,
my comments:
Board:
* Micha, what criteria did you choose to elect the inital members ?
* A "maximum" number off board members should be defined (10, 12 ?)
* A board member is retired from the board if she/he does not
participate on the votes/discussions for a given time/given count.
*
cvs commit: sticky tag `HEAD' for file
`src/common/lib/cmds/warnExpiring' is not a branch
Did you use 'cvs update -r HEAD'? => use 'cvs update -A'.
I really dislike this cvs stuff - it seemed to work
--
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de
Hi Micha,
patch was commited to the official 0.9.2 branch
1. Did you add a note to CHANGES (I see no cvsdev mail for this).
No, I did not categories it as "important" enough for a change note - if
you do so, we should add it
2. Can you commit it for the HEAD too please?
hmmm:
cvs c
Gsandtner Michael wrote:
I have modified warnExpiring in the way below. Now for an expiring certificate
always a mail is sent. If the certificate does not contain a mail address, it
is looked for one in the corresponding CSR. As last try the
service_mail_account is used.
Would be nice, if a s
Hi Folks,
finally I did it :)
You can find a tgz containing all necessary files for a revokation-batch
on http://www.ldv.ei.tum.de/media/files/homes/oliwel/batchrevocation.tgz
The revokation is done in three steps - create_crr, approve_crr,
revoke_cert. So you can follow the revokation on th
Might it work to simply append to $obj->{REQ} and than store the
update ??
No, DBI uses getItem to extract the data from the object and this uses
$obj->{ITEM}. BTW why don't you want to put the approval date into the
header?
1) ok
2) because it isnt in the old code and you told me to keep th
$plain .= "\r\n$name=$value\r\n";
do we now use "\n" or "\r\n" ???
In the old crr code there are lot of "\n"s
And it seems that my database contains only \ns too
Oliver
--
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basiszertifikat: http
Hi Micha,
We cannot do this for openca_0_9_2 so we have to rebuild the object
completely. The easiest way is the following:
my $plain = $obj->getItem();
$plain =~ s/[\r\n]*$//s;
$plain .= "\r\n$name=$value\r\n";
$obj = OpenCA::REQ->new (...
I guessed this
Might it work to simply append
Hi Micha :)
I am working on the crr-batch and have following problem:
In first step (create_crr) I create a crr in the database like the
web-frontend does:
-BEGIN HEADER-
TYPE = CRR
SERIAL = 384
-END HEADER-
SUBMIT_DATE = Tue Aug 16 13:24:52 2005 UTC
REVOKE_REASON =
..
No
Hi Micha,
Please don't mix 1.1 and 1.2 too in the dicsussion. You have two options:
1. Implement the batch system like the normal CRR. This means that you
must call the function revoke on the CA token. Please see
OpenCA::OpenSSL->revoke for more details.
2. Simply set the certificate state
Hi Micha,
0. it depends on the version
1. openca_0_9_2
1.1. normal way
CRR --> REVOKED_CERTIFICATE
If the system sets the cert to revoked then we execute an OpenSSL
command which changes the state in index.txt. A CRR is required for this
action.
1.2. agressive mode
Set cert to revoked a
Hi Folks,
I want to implement the batch process for revoking a certifiacte.
Is it ok to just set the status of the certificate to "revoked" in the
certificate table ?
Will the backend then realized the certificate as revoked and includes
it in the CRL or must I create a CRR ??
Oliver
--
Dies
Hi Folks,
I am currently working on the (old) batch system and encounter a design
problem...
I am in the "complete_csr" phase, where additional data is added prior
cert issuance. I will add a certification expiry date here, means
creating an attributed stored in the request header.
During
really, there is no text here :)
--
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basiszertifikat: http://www.ldv.ei.tum.de/page72
---
SF.Net email is Sponsored by the Better Software Conferen
[EMAIL PROTECTED] wrote:
Has anyone done some work on allowing a paste field in the user
certificate entry screen so a user has a choice of just paste a cert
request or uploading a file?
We only support file upload today. I give up a copy&paste implementation
after Mozilla copy&paste forces m
Hi Edward,
Has anyone done some work on allowing a paste field in the user
certificate entry screen so a user has a choice of just paste a cert
request or uploading a file?
I started a time ago but didnt finish - so if you will do this please
send me the patch ;)
Oliver
--
Diese Nachricht w
Hi Micha,
Perhaps my chown sets automatically -h and your chown does not set it by
default. I will add -h to the chown command. Please try it with -h.
Had the same idea :)
It works
Oliver
--
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basi
Hi Micha,
What version of chown do you have? I have 5.2.1 on a Debian 3.1 Sarge.
chown --version
chown (GNU coreutils) 5.3.0
Suse 9.3
Checked it on my Server (gentoo, chown 5.2.1 and it is working here too
!) -so it seems that chown has changed its behaviour...
Oliver
--
Diese Nachricht
Hi Micha,
make[9]: Leaving directory
`/home/oliwel/tmp/openca-0.9/src/common/var/crypto'
/usr/bin/install -c -o root -g root -m 644 Makefile.crt
/usr/local/OpenCA/var/crypto/chain/Makefile
+ make __install_ln_s
TARGET=/usr/local/OpenCA/var/crypto/keys/cakey.pem
LINK=/usr/local/OpenCA/var/cryp
Hi Micha,
System: Suse 9.3 standard,
$ cvs co openca-0.9 (from account)
$ cd openca-0.9
$ ./configure
$ make
$ make install
make[9]: Leaving directory
`/home/oliwel/tmp/openca-0.9/src/common/var/crypto'
/usr/bin/install -c -o root -g root -m 644 Makefile.crt
/usr/local/OpenCA/var/crypto/c
Hi Micha,
After ./configure, make the make install fails when it tries to make
the symlinks for the crypto-files (cacert, cakey, crl) and the "chown"
afterwards.
I do this yesterday or so to support Apache's
FollowSymlinksIfOwnerMatch. Do you have an error message or do you know
what's wron
Hi All,
I try installing current cvs head and are nagged by several missing perl
Modules.
Might it be possible to create a kind of "dependancy" checker that will
check for the existance (and perhaps version) of required perl Modules
and outputs a list or bash script for cpan to fetch the missi
Hi Micha,
I am encoutering some nagging error when installing current HEAD.
After ./configure, make the make install fails when it tries to make the
symlinks for the crypto-files (cacert, cakey, crl) and the "chown"
afterwards.
Only way to make the installer work was to create
OpenCA/var/cr
Hi Johnny,
hmm have you tried to verify the certifiacate with a proper configrued
openssl ? It might be an issue in the windos certifiate display and not
of OpenCA
Another problem might be missing utf8 support on the CA maschines
Can you please post the PEM code of a certificate.
Oliv
Hi,
i may be able to test against a pix, but can't promise, since i'm not
working there anymore, but i have still good contacts so it may be
possible but i don't have access to any cisco-router equipment for
testing those ios systems
I think I can organize an old Cisco 2600 Series here and set
Hi,
so if I see this correctly the new scep script adds new functionality
AND does everything it has done before - meens it is a drop in
replacement for the old script ?
Martin, you said it is "slower" - acedemic slower or practical slower :)
If I assume right - my Opinion: make the new scep
Hi Martin,
I have a local and substantially improved variant of scepPKIOperation
that works quite well in my environment (including production use,
see bug #1080695).
...
Should I check in my scepPKIOperation to CVS head or keep it local?
As SCEP is imho one of the most requested features
Dear OpenCA Users,
the OpenCA Team wants to announce the this years Users-Workshop.
If the majority of users has problems with the date - please let us know
and we will try to move it !
Location: Techn. Universitaet Muenchen (Germany)
Mon 17. October: Developer Meeting (open to whoever is in
Hi Folks,
after some discussions we decided to hold the 2005 OpenCA workshop here
at my University in Munich like last year. (Kontanz is a beautiful city
but has no good transport conenctions...)
The workshop will be devided into two days,
Day One will start with a developer meeting where the
Hi Guys,
I am reading the comments of you both and try to understand - whats
about creating another conference call (eiter by phone or in an online
chat) and discuss a little bit on the topic ?
I think this will bring us a little bit further in a shorter time...
Oliver
--
Diese Nachricht wurd
Hi Folks,
I have finished the migration of the docs to the new module, it is now
organized as follows:
Everything is in a new cvs module called "doc"
The "guide" folder contains the compiled pdf/html/ps and chunked_html
version, the sources (xml files) are all in the src directory. There is
Hi Micha,
I would prefer to put all final docs into the doc/ area or all final
docs on the website. If the final howtos are in doc/ then I would like
to see the pdf/ps/html guide in the doc/ area too. One rule for all
content.
I have problems espacially with the chunked version in CVS becaus
Hi Guys,
I have now prepared to move the documentation to the new module as
announced 2 weeks ago.
I am unconsious about one thing:
The "Guide" consisits of the XML Sources and the compiled pdf/html/ps
version. What should we put into the "doc" module ? Only the sources or
the final docs als
Hi Micha,
Ok, it is really complex. so I try a rudimentary example of the internal
logic.
2. export data to child
2.1. export config (e.g. dataexchange.xml)
2.2. check which objects of which datatype must be exported to the child
2.3. export these objects
2.4. write logs of this
2.5. export m
Hi Chrysa,
we had the same need for a transformation of the dn, so we implemeted a
function in LDAP.pm that translates the dn to the appropriate form if a
configuration parameter LDAP_TRANSLATE_DN (ldap.conf) is set to 1. The
function extracts the uid from the cert, builds the new dn and can con
2005 19:45:41 -0400
From: Kevin Mitcham <[EMAIL PROTECTED]>
To: Oliver Welter <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
GNU Free Doc License is ok with my grant constraints. Good luck with it.
Kevin
Oliver Welter wrote:
Hi Kevin,
we are currently reorganizing the
Hi,
1. We have no licenese on our webpage. So it is impossible for a newby
to find our license (there is only a statement that it is open source).
ok we should add this - but it is not related to the topic :)
2. We have no license for our documentation. Does somebody have a good
recommendat
Hi Folks,
I see a little issue with our current documentation handling.
We have all docs in the openca program branch. This includes our
official guide as well as contributed HowTos, etc.
It raises a problem to keep the guide in sync with the different
branches and to spread the howtos (that
Hi John,
I'm awaiting the revisions for the multiple SubCA per VM set up. Do you
think the documents should be further broken down? For example, the FC3
document is really only about FC3 in the beginning.
My intention is - the current versions are better than we have now (in
fact we have
Hi John,
send it per PM to me - I will have a look at it and find an appropriate
place for it.
Attachments are not really wanted on the list because the consume much
traffic
Oliver
--
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basiszert
Hi Peter,
Can I do this transformation via the schema-descriptions in ldap.xml
or have I to rewrite the ldap-export Module =
AFAICS there are no DN-Transformation rules implemented, thus subjectDN
equals the DN of the LDAP entry. Michael please correct me, if I am
wrong here.
What you need
Hi Folks,
I have a nice feature-request here :)
I have a certificate that contains a unique ID in the DN (number of
company register)
I have a LDAP Server that has a completely differnt DN scheme, but the
mentioned ID is a unique attribute in the LDAP tree, too. So this means
I can search f
Hi Johnny,
there is a binary openca-digest that is used for creating the hashes.
They differ in some padding issues to the openssl commands so they arent
the same.
Oliver
--
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basiszertifikat: htt
Hi Michael,
You see I like short answers but perhaps a small explanation is a good
idea. OpenCA exports an object until it gets a commit from the receiving
node. This means in your case that OpenCA exports every cert from the CA
node until it gets a commit for the cert from the receiving RA no
Hi Devs,
there was a serious question appearing on the users list...
What happens in this scenario, using networkbased dataexchange (scp):
CA Op 1 issues some certs and enrolls them
CA Op 2 issues some certs and enrolls them
RA Op now downloads the dataexchange files
I guess RA will receive th
Hello Pierre,
But I still do not understand the process the RA Operator should follow.
Do you mean that once the RA operator received a token request (no
crypto stuff involved) and approve it, he will start a complete process
from scratch on his own requesting a Certificate from the Pub interfac
Hello Pierre,
the token request is not what you want.
Token Request means, that the RA will issue a token for you, so there is
no crypto-stuff behind it.
It is the right way to use Basic Request with the token attached to the
browser
Oliver
--
Diese Nachricht wurde digital unterschrieben
oli
Hi Bahaa,
Can anyone point me to how to write enable OpenCA as a web service and
how to work with access controls of OpenCA. I would like to be able to
submit a pcks10 request and receive the signed certificate via web
service. Thanks in Advance
There are two (three) ways for this :)
1) You can pa
I am way behind schedule with a web frontend prototype for the new CVS
version of OpenCA, but this also gave me time to think about the
architecture.
I have summarized my thoughts on the following Wiki page, I'd appreciate
comments on my ideas!
http://openca.cynops.de/openca/WebFrontend
First Impre
Is there a protocol for updating key from a PKI ? I have read RFC 2510 in
which PKI messages format is done, but there is no description of
exchanges between the EE and a RA. I am looking for exchange like it can
exist for SMTP or POP3 for example. Is there a such describe protocol for
PKI solution
If it helps somebody - I got it ;)
Oliver
--
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basiszertifikat: http://www.ldv.ei.tum.de/page72
smime.p7s
Description: S/MIME Cryptographic Signature
I would prefer tagging cvs
Using a cvs is for "advanced" users only, dl'ing a snap is usually done
even by more "unexperienced" users...and I dont want to have all these
guys on the list ,)
Oliver
--
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwe
Hi Ives,
Hi Til,
together with Michael I tracked it down - the order is mixed up already
by the OpenSSL interface...
this means? ;)
or at witch place... a pointer would be nice - thx
The Mailaddresses are fetched via "getCertAttribute" in X509.pm which
calls the crypto-backend, in my case OpenSSL.
Hi Til,
together with Michael I tracked it down - the order is mixed up already
by the OpenSSL interface...
For my part I will do a loop through all addresses and take one that
matces a given regexp...
This is not a good solution but will solve my urgent needs
Oliver
--
Diese Nachricht wurd
Hi Guru's,
I have a qustion on OpenSSL Interface...
My Problem: A certificate contains multiple eMail Adresses as "Subject
Alternative Name". The order of these entries is implrtant for me, as
the first address (the address added first during creation) is always
the address I want to use for LDA
Hi Folks,
anoying problem
During setup for a new installation I ran into one really stupid problem...
I had an error in my Database config section, so the startup threw an
error.
So I fixed this, ran configure_etc and started openca agaian, and again,
and again
After some subsequent trie
Hi PPl,
I am currently working on the batch processor for revoking and renewal.
I have situations were a user re-request a new certificate with changed
data during the lifetime. So I must revoke the "old" certificate when I
issue an new one. From the "usability" point of view, I want to revoke
t
Hi Michael, Hi Martin,
I basically agree on this thing - and I must say I cannot really follow
your both other ideasI am not this deep in the project and screw up
my mind when trying to mnake a big picture
I would prefer talking on a phone conference about this, think this will
make som
Hello together,
attached you find a modified version of Martins Scep script.
Modifications where done in "sub scepStoreRequest" around line 440 for
serving Cisco SCEP requests. The Script parses the DN from the request,
reorders the elements and exrtacts IP and FQDN and puts it in the
Subject Al
Hi Alexei,
open the configure_etc skript and look if you have the correct driectory
with your files in the "DIReCTORY" list at the top of the script.
You can try to add "/bin/sh -x" at the top - this will write the
execeute commands on STDOUT
Oliver
--
Diese Nachricht wurde digital unterschrieb
Hi Ives,
And we must set two values in the Subject Alternativ Name...
its not working without? i didn't check it yet...
but i thought since it took me soo long to realize that cisco
likes it this way at the pix, i did this with the routers
but i give it a try later - or did u already?
We had not ti
Hi Ppl,
I have a little problem - where are setting up an OpenCA for usage with
cisco devices via SCEP.
We have to set some fields on the request manually and want to automate
this. The modificatiosn are:
Setting
unstructuredName=ipsec-test.test.corp+unstructuredAddress=1.1.1.1,OU=...
to unstru
Hi Folks,
I am playing with SCEP currently and have a question/suggestion for the
default configuration...
In "access_control/scep.xml" the channel is set to "http" correctly, but
"map_role" is set to yes...
As scep in general does not use any authentication, role mapping is not
possible and l
Hi Martin,
I thought about the problems before posting - but I think that the
status flag in the DB can not be used for such a time-critical or
high-security application - you have a similar problem with just the
"runtime" of a revoke action. I think that an application should verifiy
the times
Hi Martin,
I agree on the problem but not totally on the suggeeste solution :)
I'd like to propose the following change for the next release:
- for each certificate the notBefore and notAfter dates are stored
in the database
- the following certificate status are kept in the database:
- ISSUED
hi Maritn,
Me too, as I think I was one of the guys who made this suggestion and I
did some similar stuff in the past - I can contribute here or take the
lead in that direction. As semester is over in 2 weeks my schedule is
much more relaxed now.
I have started to give an experimental new frontend
hi Micha, Hi Chris,
I say go for it !
Me too, as I think I was one of the guys who made this suggestion and I
did some similar stuff in the past - I can contribute here or take the
lead in that direction. As semester is over in 2 weeks my schedule is
much more relaxed now.
Oliver
--
Diese Nachr
in our test system I used the "Rebuild OpenSSL database and next serial
number" function to recreate the index.txt file.
After this was successfully performed, I noticed that the revocation date
in index.txt was destroyed, leading to errorneous CRLs:
Revoked Certificates:
Serial Number: 03
hi Folks,
I am currently working on a "High Availability Installation" of OpenCA...
Scenario: Two identical Server, both running Linux and OpenCA with
identical config on both. MySQL Server with native replication
Is it necessary to keep the disks in sync to run a failover scenario ?
The curr
guide but it does not say much about this error. How can you export the
SSLEnv in apache 2.0.X?
Best regards,
Bahaa Al-amood
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oliver Welter
Sent: Friday, December 24, 2004 9:12 AM
To: openca-devel@lists.sourc
Alamood, Bahaaldin wrote:
Hi all,
I just set up openca-0.9.2.1 on a test machine for the second time but this
time when I go to access the RA pages I get this error "General Error
Aborting connection - you are using a too short symmetric keylength()" I
have never seen it doing this before. I have
Hi Thameur,
you can use the "openca-*" utils in the "bin/" folder for this purpose -
these tools can be compiled without the other openca-stuff.
AFAIK it is not possible to genereate the PIN directly with openssl
because it uses some methids that are not available through the commadn
line inter
Hi Folks,
the new Special Edition of the german "Linux Magazin" is on sale now
containing the article written by Michael and me.
I try to get a PDF Version of it that we can publish on the website. How
do you think about announcing the article in the webpage and later on
perhabps posting it ?
I
Hi Guys,
Today
$self->setError (1234567,
$self->{gettext} ("File __var__ is missing.", "__var__"
$var));
Proposal
$self->setError (OPENCA_I18N_MODULE_AC_INIT_NO_FILE);
Question: Whats about the "variable extension" like seen above ? Have
you omitted this for better reading ? -
Hi Ives,
what do you think about changing from automake and conf
to scons? maybe for the next release or later?
http://www.scons.org/
"Configuration files are Python scripts--use the power of a real
programming language to solve build problems."
I dont like phyton and it is not installed on m
Hi Folks,
some really nice ideas - to most of them I agree, to some not - I will
see to find the time to give a more detailed info on the weekend but I
am a little bit busy at the moment :)
One quick point: I disagree with the workflow module - I think we should
keep the statemaschine modell an
Hi All,
can anybody enlight me what the "owner" tags in the RBAC Configuration
are used for ??
Is it possible to limit access to objects based on properties of the
objects ??
Oliver
--
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basiszertifi
hi Dalini,
yes your "edit" state would ne quite the same than my suggestion - I
addresses this to martin cause it ssemed to me that he missed the point...
usaly the request object would get signed with its NEW state either -
approved or rejected - so it can't be changed and its clear what to do
dalini wrote:
Martin Bartosch wrote:
admin 1 requests operation X on object A
-> results in an entry in edit state
Now as long as the request is neither approved nor revoked it is not
possible (it SHOULD not be possible) to add a new (conflicting)
change request for the same object. That would mean
Hi dalini,
oh, just as we talking about database desing in relation to sign actions
and state changes:
do we have an option to create request objects, which just have a dn and
a pwd (pre shared secret) stored? (which also may have been signed,
means pre approved by 1:n operators?)
this is nec
Hi Martin,
- currently it is only possible to get the own CA certificate from
the DB, isn't it? The var/crypto/chain directory may contain
the required certificates, but it is not really enforced, right?
Do you think it is sensible to construct the keystores based
on the CA certs that are a
1 - 100 of 164 matches
Mail list logo
