Venki On Monday 17 March 2003 15:36, you wrote: > chris, > > this is exactly what we want to do in our University. "Dual Key > Pair". :).
Yes, we use dual key pair in this way. I come from an Entrust background where certificates are stored in a "profile" one cert for each cert type. I have just duplicated this within OpenCA. > > As far as i understood the certificate attributes, their is no > field in the certificate which which describes "Role". OpenCA has > one(Role) because they have an RBAC system. When we want to create > certificates for email purpose alone or authentication alone, Role > attribute simply not necessary because the certificate holder not > going to play any role in the OpenCA pki system. If you follow > the, OpenCA certificate extension files in > /openca_installation_directory/OpenCA/etc/.... , you will come to > know this. hmm.. if you already generated encryption cert and > signature cert, then you might had your own extension files for > these two type of certificates. (am i right chris?, enlight me if > i am wrong) When a user requests a certifciate they are given the opportunity to select their role (CA Operator, Cross CA, Mail Server, RA Operator, Sub-CA, User, etc). We hide all options from our users apart from User and Encryption User (our new role). You are right, there is no role in the certificate but there is in the OpenCA data base. > > AFAI understood OpenCA code, Role is stored only in the database. > Whenever some user access OpenCA page via https, RBAC "grant > function" extract serial no. from client certificate and > identifies the appropriate role from database then allow access to > him. > Yes, but this role is also used to define normal users certificates (am I wrong here Michael ?). All I have done is create a new role for encryption certs and edited the extensions file to make it encrypt only. > i really don't know good solution for your LDAP query, but i am > thinking of having some role (say 'E' for encryption and 'S' for > signature) and check againt this value before adding in to LDAP. > Also don't give any in (RBAC) pki system, if the user has > certificate of this type. i think this will be taken care by > browser itself. don't know :)... > Yes, this is effectively what I have done (see my last mails to the list). > anyway tell me also that how you managed to generate certs with > your own defined extension files. (Encryption cert or signing > cert)? awaiting to hear more from you. > I think I have explained this in my last mail (this one may have crossed !!). I edited the .ext file. Michael, can you tell us if this is an accepted way of using OpenCA roles ? Chris... ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
