Hi Massimiliano,
> You are asking wich type of algorithm the user is about to use (DSA/RSA/
> whatever) ?
Yep.
> I am not sure I understood it (partially because I never took a close look
> to PGP ... blame me (!!!)): can you make some real example ? Cout that be
> the public key itself contained in the SPKAC ?
Well, in PGP the fingerprint is defined somewhat like a hashvalue over the
public key data, the emailaddress and the date (i think).
When you issue a netscape client certificate the certificate also contains a
fingerprint. I do not exactly know what this fingerprint means (perhaps
someone else does?), but I'd like to know (if it is possible) the
fingerprint before certifying. It all has to do with the verification
process we want to do before certifying a key.
The process can be described as follows:
1. applicant requests certificate (submits public key to enrollment)
2. enrollment server sends back key details (things identifying the key for
100%) (I know, this can be cracked, we solved it procedureally :)
3. CA verifies link between applicant and organisation (it's our office CA)
4. CA verifies link between applicant and public key and verifies identity
of applicant
5. CA signs certificate request
6. CA handsout certificate
During 4 the verification of the identity is done fairly easily (passport
etc.), but the applicant also needs to be sure the key he submitted for
certification is the key described on the form he is about to sign (the form
states: Yes, I'm the person described here and yes, what is described here
in keysize, algorithm and "fingerprint" is MY public key. Yes, I'm sure.
Yes, I'm sure, sign my key! Sorry, need to go home.)
but: I hope I've made my problem clear. Both the applicant and the CA need
to know what public key they're talking about. In PGP there is the
fingerprint mechanism, in netscape also, but it only works _after_
certification :( and I need it before.....
> > Again, thank you for making it public, it's a great help :)
>
> Are you kiddin' ?? First rule of the Net: you give one and get 100 in return!
> I'm happy if I can share my (poor) knoledge with someone else...
Hmm. Seems your knowledge is still > mine....well, I'm working on something
that I'll be glad to share (even if there is no interest ;), it's a fully
operational production CA with verification procedure support. The latter
is something I'm still missing. As soon as I've got something I'll post it
here. Another project of us aims at providing good documentation for our
customers on how to do things with internet-aplications (how to setup your
own directory server etc.). It will also contain a security category, and
that will contain a "how-to-build your own ca using openssl", and how to
build it in such a way it will be certified by the SURFnet Policy
Certification Authority. It's all lots of fun :)
Jan
--
alive=true
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
