Lars Weber wrote:
>
> I have some (late) suggestions for the next OpenSSL-Release:
>
> 1) Fingerprint for requests
>
> This should calculate a unique fingerprint for the request and would
> make it possible to identify a request via this hash. I think this
> would be very helpful for CAs (well, at least it'd be for us :-).
> Eg., we would ask the requester of a certificate to write down the
> fingerprint of the CSR on some kind of agreement form prior to the
> certification process. We would then compare the fingerprint with
> what openssl shows us.
Hmm, but most times the client does not have OpenSSL to calculate that.
Most times you have Netscape Communicator or something like this on the
requester's side. I think PKIX proposes to send a master secret to the
requester by some out-of-band-communication which is sent to the CA
together with the certificate request.
> 5) New option "-chkdb" for the "ca"-application
>
> Invoking "ca" with this option should check "index.txt" for expired
> certs and mark them with an 'E' in the first column. The idea is that
> it is possible to run "openssl ca -chkdb" periodically via a cron-job
> and keep "index.txt" up-to-date.
> This is important if you use
> "index.txt" for online-checking (server-)certs via the extension
> nsRevocationUrl.
Have a look at my Python scripts for these tasks:
http://sites.inka.de/ms/python/pyca/.
Ciao, Michael.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
