[Mono-list] My Project under Mono

Galkin Oleg jericho at nekto.ru
Sun Jan 15 03:28:22 EST 2006 

Hello, Sebastien!

At last i've received good answer on my question! Big thanks to you!

SP> Very interesting. I did something similar when I first started learning
SP> about .net and web services when (1.0) beta2 was released (seems a long
SP> time ago).

SP> This was an XKMS (1.0) client and server, where the server had
SP> everything to create x.509 certificates, CRLs and OCSP responses. The
SP> client/server couldn't be open-sourced (for contractual reasons) but
SP> updated versions of the most basic stuff (ASN.1 and x.509 certificates)
SP> are available in Mono.Security.dll.

Yes, i've already practised with Mono X509Certificate and
X509CertificateBuilder, it seems easy to create and parse certificates
with this classes. But there aren't classes for PKCS#10 Certificate
Request and requests are in use in many CA's. It would be great to
have classes like CertificateRequest, CertificateRequestCollection and
CertificateRequestBuilder. I quess, i will have to compensate this lack of
functionality.


>> How do you think is there any future of this project. Your notes and
>> opinion about this project is very important to me.

SP> IMHO it depends on your definition of success ;-)

SP> Very few PKI implementation projects succeed (and those that succeed
SP> generally never talk about the PKI stuff used internally). This
SP> translates to lack of "user/CA base" success for *any* CA
SP> implementation. So if you're looking to create a "big" user/CA base then
SP> you may be disappointed.


SP> I can suggest a few things if you want to create a "generic" CA
SP> software/tools

SP>         * don't try to do everything at once - there's too much to cover
SP>         and that will only frustrate people needing the half-implemented
SP>         features;

Yes, i thought about that, i agree.
        
SP>         * when you do something do it right - from a usability point of
SP>         view. Creating certificates is easy but, mostly, worthless if
SP>         you don't publish them and support a revocation mechanism;

Yes, yes of course.
        
SP>         * try to make your first version "works" (interop) with some
SP>         existing software (e.g. provide a "template" to create SSL
SP>         server certificates). That's usable and can be used by
SP>         "normal" (non X.509 versed) people to get immediate
SP>         results/feedback. Add more scenarios later (e.g. S/MIME
SP>         certificates, SSL client certificates, VPN...). This also
SP>         affects how you'll publish (web, ldap...) your certificates and
SP>         how you'll revoke them (crl, ocsp...)

Interesting, i'll take it into account.

SP> Of course you can also "hide the PKI" and decide to offer some security
SP> services on top of PKI technologies - as some people now fear the PKI
SP> acronym ;-)

SP> Have fun!

Your advices are very helpful! Thanks!

Oleg

More information about the Mono-list mailing list