Closed JamesTheAwesomeDude closed 3 years ago
…unfortunately, their "blueprint" appears to contain nothing workable for this project:
5.PKI Implementation Blueprint
Using the results presented in the preceding sections, we can now look at how a PKI might be implemented with a particular goal of using the most practical real-world technology in order to increase the chances of successful deployment. As was already mentioned earlier, this implementation blueprint covers only the “How” aspect and leaves issues such as policy and legal concerns to the appropriate entities.
The basic certificate-management system is built on top of the database of choice, and uses an HTTP (or HTTPS) interface for communication. Certificates are generally identified by user name (CommonName in X.500 terminology) and email address, with alternatives such as an account number, IP address, or device name being used where this isn’t feasible.
Certificate issue is handled via a minimal one-click interface, which can be accomplished on most systems in a reasonably automated manner by reading the user name and email address from the user account information (for example the GCOS field under Unix or the Windows user information), and using it to populate the certificate request. The generated certificate is obtained by fetching it from the certificate store.
The process of obtained a certificate is also the mechanism used for freshness/validity checking, with the certificate store returning only known-good certificates. Historical queries and similar issues are handled through the standard auditing and accounting mechanisms built into the database, which are used to track certificate additions and deletions and similar operations.
The basic mechanisms presented here can (obviously) be garnished to taste. For example some CAs may require a private-key proof-of-possession operation before issuing a certificate, which may require a two-stage process to be used when requesting a certificate. Potential implementers should however bear in mind that the goal of this work was to determine how to build a practical PKI. A workable (but not quite theoretically perfect) practical PKI is still better than theoretically perfect vapourware.
(No; I did not exclude anything. That's the entire section.)
According to this guy, who seems quite sharp and has written extensively on X.509:
There may be some benefit to the project from reading this paper. We can "bolt on" much more security than browser vendors are at liberty to.