[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-devel] key management ?


  • Subject: [Openvpn-devel] key management ?
  • From: gary ng <garyng2000@xxxxxxxxx>
  • Date: Wed, 7 Apr 2004 21:31:45 -0700 (PDT)

Hi,

Openvpn is moving nicely in feature for large scale
deployment.

I am wondering if there is already plan to make the
key management more suitable for this kind of
deployment.

AFAIK, currently the cert can only be signed by one
root CA. However, this is usually not how these public
key based authentication is used in corporations(based
on my experienced with Lotus Notes). Usually, the root
CA of an organisation is well guarded and is only used
to sign intermediate CAs(can be multiple level) which
are then delegated for actual end node cert signing.
This has the advantage that if certain CAs are
compromised, they can be moved to CRL making any
future cert signed by then being rejected. This is
also useful for inter-organisational situation when
such confidential communication is necessary. 

Another nice to have feature is to associate(or limit)
the remote IPs based on certificates. 



__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/

____________________________________________
Openvpn-devel mailing list
Openvpn-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-devel