Howard Chu wrote:
Turbo Fredriksson wrote:
Everything I’ve seen about the subject is so darn _complex_! It shouldn’t HAVE to be.
Indeed, there's no reason for it.
Hmm, every time in a customer encryption/PKI project the customer requested that it should be secure *and* easy to use. This is kind of a contradiction to begin with.
Also this short discussion already oversimplifys all the possible use-cases and considerations when talking about storing/using/protecting private keys. Personally I'd never use such a autoca overlay running on the "normal" directory server.
So every technical design should start with a decent description of the use-cases or will blatantly fail. This will lead to reviewing which name spaces have to be put in which naming extension for which usage and who is authorized to use the keys and issue certs. Simply starting with schema for private key storage is putting the cart before the horse.
Having said this I'm willing to contribute to such a design. I have some ideas which are very much based on the role model in Æ-DIR though.
(Well, I sweared to myself not to develop another PKI system again. But every other implementation pretty much sucks, especially in the naming, registration, authorization parts...umpf! But be assured: It's *very* hard to get it really right.)
Ciao, Michael.