Kulpinski, Dejan wrote: > As for storing the data outside of the database... > > Aside from the temporary files (exports) you should really try to avoid storing data >outside of the database > itself, becuase that makes it much more dificult for day to day operations of the >OpenCA. Having a > database that contains all the data and the state of the OpenCA makes it much easier >to do backups and recovery. It is easier to control access to data as well. Remember >I am talking from the operations point of view here, since we operate an actual >production version of Certification Authority. I have seen and tested products that >do exactly that (such as SSH Certifier for example), where everything is stored and >encrypted in the database including CA Cert and its keys.
I want the same but there is still a problem with OpenCA::DB ... > As for DBI vs. DB... > > Do you plan to support DB in the future? I was very surprised to see somebody using >the Berkley DB in the first place. My suggestion would be to support only DBI. That >way you have much less work to do, and you can streamline your code to work well >efficiently with the relational database. The again, I might be biased... Really nice idea but I don't know how big does the userbase of OpenCA::DB be. I would prefer relational databases too but perhaps there are many users of OpenCA::DB. So I think about a design trick in OpenCA::X509 to allow a simple integration into OpenCA::DB. > As for export/import flags... > > As I said you only need to track exports, since you can use serial numbers of >certificates/requests to see if they have been imported or not. Therefore you would >only need flags for the exports. Actually there are some problem with our design. The problems are 1. pending requests on the CA 2. deleting requests on the RA if they were already approved I will try to prepare a cleanup. So we come closer to a solution ... 1. cleanup design (never export pending requests, never delete approved requests on the RA) 2. add EXPORT_FLAG to OpenCA's cryptoobjects 3. add the flag to the searchable attributes 4. implement changed export-import.lib Further comments? Michael -- ------------------------------------------------------------------- Michael Bell Email (private): [EMAIL PROTECTED] Rechenzentrum - Datacenter Email: [EMAIL PROTECTED] Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482 Unter den Linden 6 Fax: +49 (0)30-2093 2959 10099 Berlin Germany http://www.openca.org ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
