[Mono-list] My Project under Mono

Sebastien Pouliot sebastien.pouliot at gmail.com
Sat Jan 14 12:25:28 EST 2006

Hello Oleg,

On Sat, 2006-01-14 at 13:35 +0300, Galkin Oleg wrote:
> Hello!
> I have question to all people familiar with security and cryptography.
> I've started open source project to create small-scale Certification
> Authority based on Mono. Here is URL: http://microca.sourceforge.net

Very interesting. I did something similar when I first started learning
about .net and web services when (1.0) beta2 was released (seems a long
time ago).

This was an XKMS (1.0) client and server, where the server had
everything to create x.509 certificates, CRLs and OCSP responses. The
client/server couldn't be open-sourced (for contractual reasons) but
updated versions of the most basic stuff (ASN.1 and x.509 certificates)
are available in Mono.Security.dll.

> How do you think is there any future of this project. Your notes and
> opinion about this project is very important to me.

IMHO it depends on your definition of success ;-)

Very few PKI implementation projects succeed (and those that succeed
generally never talk about the PKI stuff used internally). This
translates to lack of "user/CA base" success for *any* CA
implementation. So if you're looking to create a "big" user/CA base then
you may be disappointed.

I can suggest a few things if you want to create a "generic" CA

        * don't try to do everything at once - there's too much to cover
        and that will only frustrate people needing the half-implemented
        * when you do something do it right - from a usability point of
        view. Creating certificates is easy but, mostly, worthless if
        you don't publish them and support a revocation mechanism;
        * try to make your first version "works" (interop) with some
        existing software (e.g. provide a "template" to create SSL
        server certificates). That's usable and can be used by
        "normal" (non X.509 versed) people to get immediate
        results/feedback. Add more scenarios later (e.g. S/MIME
        certificates, SSL client certificates, VPN...). This also
        affects how you'll publish (web, ldap...) your certificates and
        how you'll revoke them (crl, ocsp...)

Of course you can also "hide the PKI" and decide to offer some security
services on top of PKI technologies - as some people now fear the PKI
acronym ;-)

Have fun!
Sebastien Pouliot  <sebastien at ximian.com>
Blog: http://pages.infinit.net/ctech/

More information about the Mono-list mailing list