On 2006.11.22 at 16:40:27 +0100, Michael Str??der wrote: > Victor B. Wagner wrote: > > RFC 2511 defines ASN.1 syntax for putting multiple certificate request > > into one message: > > [..] > > Question is - how widespread is use of this syntax, is there any > > real-world CA which understand CertReqMessages sequence. > > There are several PKI implementations which support CMP/CRMF (e.g. > Entrust). At the client side I vaguely remember that it was added to > Netscape 6.x. Not sure whether it's still actively maintained in > Mozilla/Firefox etc. Note that CRMF is most times profiled in a > vendor-/project-specific way. > > > It seems simple enough to support this syntax above openssl binary in > > the scripts which process incoming requests. > > > > But is this really > > neccessary, or there are good sequirity reasons to require people which > > write key generation software to process each certificate request as > > separate entity, even if several keys (say signature key and key > > encipherment key) are generated simultaneously? > > What exactly are you trying to achieve? Implement a CA component which > can deal with any enrollment protocol implemented in clients on earth?
We are implementing a system which contains both CA and client. Really, our client have to be compatible with other CA implementation, and our CA with other client. For some reasons our client often generates both signature key pair and key encipherment key pair simultaneously. I'm trying to understand what is better - push people which implement other CA we are to interoperate to to support CertReqMessages telling them that it is in RFC, so it ought to be supported, or tell people which implement our client to not rely on its support. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
