This section will describe the future work needed for OpenCA and also discuss any deficiencies that exist.
The current layout of OpenCA (see Figure 4-1) is not yet scalable to support multiple CAServers or RAServers. Currently this is not a high priority issue as it is very important to come up with a simple, secure and clean implementation of a CA.
Do more work on the LDAP support.
Also, there are scalability issues with the case of high usage of OpenCA. The current implementation uses CGI scripts written in Perl. These scripts invoke the openssl application. The overhead of invoking these two big executables ( perl and openssl) is very big and depending on the hardware configuration, there will be a limit where the physical memory will be exhausted and the system will start swapping heavily, and the load will go very high.
Possible solutions here would be to make use of mod-perl for the Apache WWW Server. This adds a new software component which means that it should also be included in a future security review.
Calling the OpenSSL library would be much more efficient than invoking the OpenSSL openssl application. Both Perl and C support library function invocation.
In the current OpenCA layout (see Figure 4-1) the CAServer is shown not to be networked and it communicates with the RAServer using, for example, removable media. There could be solution to be proposed that allow a networked configuration and also maintain a high degree of security.
A test–suite is needed to test the installation for correctness and provide an estimation of thoughput capabilities. For the current implementation of OpenCA applications like cURL could be used to write a test–suite. cURL supports SSL/TLS connections, it is a command–line application and also open–source. It can be found at the cURL - Client to fetch URLs link.
A security review is necessary for all the software components that are required by and constitute the OpenCA software.
Smart cards could be used in The OpenCA Project. Linux® supports the usage of smart cards. Information can be found at MUSCLE Smartcard Home Page. MUSCLE supports PC/SC and OCF (through JNI). The PC/SC support is more complete and could provide the necessary performance needed. Also, it can be accessed through Perl and C.
OpenCA could be implemented in various other languages. The decision for this should be the weighing of the benefits and the source–code fork problem.
Internationalisation of OpenCA. This could be accomplished with the gettext support that perl has. However, this should wait untill the software has been stabilised.