From: Michael B. <mic...@rz...> - 2001-06-06 11:30:19
|
"Dr. Donal O'Mahony" schrieb: > > Are there not many cases where one would want to issue multiple certs > with the same DN (and different serial numbers) e.g. seperate signing > and encryption certs, re-issue of a cert that had been revoked etc. OpenSSL supports re-issue of a cert after the revocation of this cert. If you have seperate keys for encryption and signing then you must have different DNs if you use openssl and we use openssl. The usage of keys is only dependend from the extensions so it should be possible to use different DNs if you know the PINs of the private keys. It's only a question of the software because the most rograms don't support seperate keys.. > Is it only openssl that would need to be changed to allow this? Or > is the way OpenCA does the indexing in the DBM file the crucial thing? It is openssl that doesn't allow multiple certs with the same DN. OpenCA uses the serial number (if the object is a cert) or hashes (if the object is a request, CRR ...) We have a long disussion about this problem and our solution was the following: * include a serial number into the DN which is not the serialNumber * this special serial number in the DN could be used to store the number of the issued certs of this person * Entrust a very similar solution but they use SN for this. We are looking for an attribute which has the meaning of a serial number and is perhaps different from serialNumber. The code is actually not written because the 0.8.0-version has the highest priority. This version demonstrate the final design before we start with 0.9.x. Massimiliano - what is with 0.8.0 ? ;-D Should we create a new subtree in the CVS called openca-0.8 to enforce development for the stable version? (tar -xvf openca-0.8.0-beta.tar; cvs add openca-0.8; cvs commit openca-0.8/* ...) Regards Michael ---------------------------------------------------------------------------- Michael Bell Email: mic...@we... Rechenzentrum - Datacenter Email (work): mic...@rz... Humboldt-University of Berlin Tel.(work): +49 (0)30-2093 2482 Unter den Linden 6 Fax.(work): +49 (0)30-2093 2959 10099 Berlin Germany [OpenCA Core Developer] http://openca.sourceforge.net |