On Fri, May 07, 1999 at 02:04:25PM +0000, Michael Ströder wrote:
> Hmm, but most times the client does not have OpenSSL to calculate that.
> Most times you have Netscape Communicator or something like this on the
> requester's side. I think PKIX proposes to send a master secret to the
> requester by some out-of-band-communication which is sent to the CA
> together with the certificate request.
Yes, you are right with your sentence about the PKIX-recommandation.
On the other hand, the ca I am working for will only sign keys >= 1024
bit for WWW-Server or for ca-purposes. So people who want to get a cert
are urged to generate a key with programs that are not export-crippled.
They will use for example OpenSSL. A fingerprint for a request would
make request handling more easier for a ca and their customers compared
to the PKIX recommandation.
>
> > 5) New option "-chkdb" for the "ca"-application
> >
> > Invoking "ca" with this option should check "index.txt" for expired
> > certs and mark them with an 'E' in the first column. The idea is that
> > it is possible to run "openssl ca -chkdb" periodically via a cron-job
> > and keep "index.txt" up-to-date.
> > This is important if you use
> > "index.txt" for online-checking (server-)certs via the extension
> > nsRevocationUrl.
>
> Have a look at my Python scripts for these tasks:
>
> http://sites.inka.de/ms/python/pyca/.
>
Thanks for the hint. My idea is to include as much functionality as
possible for proper ca-operation in the openssl-program. So people
do not need any external programs/scripts.
Ciao,
Lars <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
