> - What's the deep rationale behind the unique index on the
> subject DN? Why not make a unique index on the keyid?
Because the crypto-using applications are more likely to present a name,
rather than a keyid. Because cert lifetimes should (when done properly
IMHO :) overlap -- when a new cert (and maybe new key, maybe not) is
issued, there will still be things signed by the old cert "in transit",
and you'll need to fetch "all" the user keys.
Hmm, but as I read more of your note, it sounds like the txt_db stuff is
broken for what should be its intended use.
Keys expire more rapidly than user's. :) For example, in email, you have
the user's name, and you want to fetch the certs that might be
appropriate for that user.
> Suggestions? Is there any interest in such changes at all?
I think the CA program is "proof of concept" and not up to the quality
of the rest of openssl. Any improvement here would be good.
/r$
--
Zolera Systems, Your Key to Online Integrity
Securing Web services: XML, SOAP, Dig-sig, Encryption
http://www.zolera.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
