[TriLUG] OpenCA, anyone else looked into this?

Kevin Flanagan kevin at flanagannc.net
Sun Jul 4 17:37:15 EDT 2004 

On Sun, 2004-07-04 at 16:59, Tanner Lovelace wrote:

> 
> I'm not sure what this would give us over what we've got right now.
> They've created their own certificate authority.  That's nice, but
> they still make you install their root certificate.  That's
> *exactly* what we have too.  We created our own certificate
> authority for our SSL websites.  The user also has to install
> our root certificate (http://www.trilug.org/cgi-bin/loadCAcert.cgi).
> 
> Now, something we could think about would be to use the CA that
> we've created to sign trilug member SSL certs.  That way, members
> wouldn't have to create their own CA, they could just use ours.
> Jon, is that what you were thinking about?  That might be an
> interesting member benefit we could offer.  We'd need to come up
> with some ground rules and make sure we still remember our
> CA's password O:-), but it's certainly doable.
> 


I think that this would be an interesting benefit, roles and
responsibilities, as well as a way to deal with a Certificate Revocation
list (CRL), would be among the things to do.  Certs are a good thing to
have, but unless there's good process surrounding the certs you issue or
sign, they aren't worth a lot.  I think that Trilug is stable and large
enough that it would be reasonable to trust certs that are signed or
issued by the Trilug CA, the defined process, documentation etc would go
a long ways towards others trusting them as well.

I just went through creating a set of CAs, offline root, and issuing CAs
for work.  We are using them for Nortel's routers that create encrypted
tunnels over the carrier's Frame Relay network, when all is said and
done, we will have about 2000 Certs issued for this.  The next question
is about EFS stuff for users, right now it's disabled by policy (Windows
systems), so folks can't encrypt stuff and then not be able to recover
it if they lose the key.  ;')  Eventually we expect to have about 40K
certs out there, and with turnover, a decent sized CRL to keep tabs on.

I think that it you're going to do this as a member benefit, it needs to
be well organized in order to be much of a benefit.


Just my $.02


Kevin


> Any thought on that?
> 
> Cheers,
> Tanner
-- 

+--------------------------------------------------------------+
If you never see anything that offends you, you aren't living in a free
society

Kim Campbell - Former Canadian Prime Minister

More information about the TriLUG mailing list