[Mono-list] My Project under Mono
jericho at nekto.ru
Sun Jan 15 03:28:22 EST 2006
At last i've received good answer on my question! Big thanks to you!
SP> Very interesting. I did something similar when I first started learning
SP> about .net and web services when (1.0) beta2 was released (seems a long
SP> time ago).
SP> This was an XKMS (1.0) client and server, where the server had
SP> everything to create x.509 certificates, CRLs and OCSP responses. The
SP> client/server couldn't be open-sourced (for contractual reasons) but
SP> updated versions of the most basic stuff (ASN.1 and x.509 certificates)
SP> are available in Mono.Security.dll.
Yes, i've already practised with Mono X509Certificate and
X509CertificateBuilder, it seems easy to create and parse certificates
with this classes. But there aren't classes for PKCS#10 Certificate
Request and requests are in use in many CA's. It would be great to
have classes like CertificateRequest, CertificateRequestCollection and
CertificateRequestBuilder. I quess, i will have to compensate this lack of
>> How do you think is there any future of this project. Your notes and
>> opinion about this project is very important to me.
SP> IMHO it depends on your definition of success ;-)
SP> Very few PKI implementation projects succeed (and those that succeed
SP> generally never talk about the PKI stuff used internally). This
SP> translates to lack of "user/CA base" success for *any* CA
SP> implementation. So if you're looking to create a "big" user/CA base then
SP> you may be disappointed.
SP> I can suggest a few things if you want to create a "generic" CA
SP> * don't try to do everything at once - there's too much to cover
SP> and that will only frustrate people needing the half-implemented
Yes, i thought about that, i agree.
SP> * when you do something do it right - from a usability point of
SP> view. Creating certificates is easy but, mostly, worthless if
SP> you don't publish them and support a revocation mechanism;
Yes, yes of course.
SP> * try to make your first version "works" (interop) with some
SP> existing software (e.g. provide a "template" to create SSL
SP> server certificates). That's usable and can be used by
SP> "normal" (non X.509 versed) people to get immediate
SP> results/feedback. Add more scenarios later (e.g. S/MIME
SP> certificates, SSL client certificates, VPN...). This also
SP> affects how you'll publish (web, ldap...) your certificates and
SP> how you'll revoke them (crl, ocsp...)
Interesting, i'll take it into account.
SP> Of course you can also "hide the PKI" and decide to offer some security
SP> services on top of PKI technologies - as some people now fear the PKI
SP> acronym ;-)
SP> Have fun!
Your advices are very helpful! Thanks!
More information about the Mono-list