[cgl_discussion] about the requirement for PKI CA Support

Zhao, Forrest forrest.zhao at intel.com
Thu Jun 19 18:45:51 PDT 2003

Hi Makan Pourzandi and Paul Kierstead, 

Your advices are very helpful to me. Thanks!

OpenCA(www.openca.org) is in the PoC of PKI CA, I have had an initial test with it, can't openCA meet CGL2.0 requirement? Why? For its performance?

Thanks for your comments!

**These views are not necessarily those of my employer.**

-----Original Message-----
From: Makan Pourzandi (LMC) [mailto:Makan.Pourzandi at ericsson.ca] 
Sent: 2003年6月19日 23:55
To: Zhao, Forrest
Cc: Paul Kierstead; cgl_discussion at osdl.org
Subject: Re: [cgl_discussion] about the requirement for PKI CA Support

Hi Forrest,

I believe the important word here is "small". From our discussions in 
cgl_specs, my understanding is that the main purpose of this PKI is not 
to be used for general PKI issues in large networks managing hundreds of 
certifcates, rather we aim at a limited use inside a cluster or among 
several nodes of the network. IMO, this can be very useful to avoid many 
headaches of managing the certificates which are "locally" used.

Personnally, I'd like to see an open source project handling the PKI 
issues at large. However. I am not aware of any project that people want 
to rely on. I would be happy if somebody can point me any good open 
source PKI project being able to handle decently hundreds of 
certificates on a network of less than a hundred nodes.

Makan Pourzandi
Makan Pourzandi,
Ericsson Research Canada makan.pourzandi at ericsson.ca
This email does not represent or express the opinions of
Ericsson Inc.

Paul Kierstead wrote:

> Zhao, Forrest wrote:
>> *I’m a bit confused with one of CGL 2.0 requirement: ID *7.3.4 *Name 
>> *PKI CA Support
>> 1
>> The requirement says: “Certificate Management/Request protocols are 
>> not a requirement; CRL Support (Certification Revocation List) is 
>> required”
>> We know that CRL support is one component of Certificate Management 
>> protocols (RFC 2510), how should we understand this contradiction? 
>> Does this “CRL support” mean that CGL 2.0 only support the 
>> publication of CRL, not support the creation of CRL?
>> 2
>> If we only support the publication of certificate and CRL in PKI CA, 
>> I don’t think this PKI CA have much use. So I’d like to ask a 
>> question: what indeed do we want a PKI CA to do in CGL 2.0? Just for 
>> the publication of certificate and CRL?
> You do not need management protocols in order to create a CRL. For 
> example, a CRL can be created from the command line or a custom GUI. 
> The certificate management protocols allow a standardized mechanism to 
> request (and other operations) a certificate from a remote location. 
> This is not necessary IMO for the rather small PKI required for CGL.
> -- 
>Paul Kierstead
>Alcatel Canada - R&I - Security group
>600 March Road - Kanata, ON, Canada K2K 2E6
>Phone: +1 613 784 3822 Fax: +1 613 784 8944 

More information about the cgl_discussion mailing list