from starting user registration even if you are not an authorized CA or RA.
As far as I can see, anybody with Author access (+Create User) to the NAB, to Admin4.nsf and certlog.nsf can start user registration and actually create a person record in the nab with a valid internet password.
The server based CA process will then fail in creating a proper key for the id file, but still the NAB will contain some leftovers…
Does anybody know if it is possible to stop the user at a much earlier stage and preventing him/she form proceeding in using a CA he/she is not authorized to ?
Thanks
Subject: CA based User Registration does not stops you …
No create user rights in the addressbook.
cheers,
Tom
Subject: RE: CA based User Registration does not stops you …
Thanks, that is of course an option, but I would appriciate that the configuration in the CA is enforced regardless of the ACL on the nab, admin4 or certlog.
But if there are no other options, well I will live with it 
Thanks
Subject: RE: CA based User Registration does not stops you …
Yes, I think you are right. It would be very handy if CA was a bit more intelligent (or the persondoc wouldn’t be created untill the CA request is approved ?)
But since you can always create person documents in the NAB, without even using the CA, and use these via HTTP, it’s not really a CA problem.
You should be careful about who to allow to create users
cheers,
Tom