From: Martin B. <vc...@cy...> - 2005-02-25 15:01:06
|
Hi Michael, > I would like to implement a function sign_object. Everyone can sign a > object to signal that he verified the object. This has nothing to do > with the state APPROVED. This way of using signatures allows the old > style management (only issuing certs from approved and signed requests) > but it supports much more things too. > > A RA operator can sign a pending request for a CA operator certificate > to signal a CA operator that the data in the request is checked. > Nevertheless only a CA operator can approve the request. The idea is to > allow much more detailed and flexible policies. sounds good. I remember discussing something similar in November last year or so. Just make sure the signature is just one possible way of adding a 'approval' for a new state. There will be situations where policy demands an environment where signatures are not desired. Martin |