Re: Certificate Revocation

Fri, 17 Dec 1999 05:43:24 -0800 



Massimiliano Pala wrote:
> Andrew Cooke wrote:
[...]
> > If people want to use the utility routines as a "library" to build their
> > own CA scripts, then it would be better, for example, to provide a
> > separate routine that checks that they know the CA password.  In that
> > way the person writing the script has the choice of following your
> > security model, or not.
[...]
> Sincerely I do not uderstand your observation: to issue a CRL you have to
> load the CA secret Key (either using library routines) and if it has been
> encrypted, you have to call for a "challenge" to get it (and providing the
> encryption password). So if you don't know the protection password of the
> CA key you can not issued CRLs ...

Maybe, for example, I am writing a complicated script that stays
running.  At the start, it would be nice to check that the person who
starts the script is suitable - so it would be nice if I could ask them
to provide the CA key password.  They do this, and I then trust the
user.  A little later, while still using my script, the user wants to
revoke a certificate.  If my script calls your routine the user will
have to enter the password, even though it is not needed.  Later still,
he may want to issue a CRL and then he will enter the password again.  

The last time the passsword was requested, it is needed to read the
key.  But when the certificate was revoked the password was only needed
because you decided on a security policy.  In my (imaginary) script I am
using a different security policy.

Do you see what I mean?  Your decision to ask the user for a password
makes sense when the utilities are used alone, but when they are used as
part of a larger script it adds an extra request for a password that is
a nuisance.  That is what I meant about using the scripts as a library.

It is not very important - I thought it was interesting that the apps
could be thought of either as utilities or libraries, taht's all.

As I said before - thanks for writing this.

Andrew


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to