[Freeipa-devel] DNSSEC design page: key wrapping

Tue Mar 4 23:32:10 UTC 2014

On 03/04/2014 05:30 PM, Petr Spacek wrote:
> On 4.3.2014 23:18, Dmitri Pal wrote:
>>> We need PKCS#11 for CA certificates, BIND and OpenDNSSEC anyway so 
>>> we need
>>> to design schema for *public* data. All private data can be stored 
>>> in Vault
>>> if we agree on that.
>>
>> Do we need it on the server and if so can it be exposed by the vault 
>> rather
>> than via LDAP?
> We need standard PKCS#11 interface because applications like BIND and 
> OpenDNSSEC do not care about IPA-specifics. However applications see 
> only PKCS#11 interface and nothing else, there could be LDAP or some 
> other protocol behind the API.
>
> Honza's plan is to integrate PKCS#11 module to SSSD somehow so it will 
> be available on all client machines, it will use caching facilities, 
> fail-over etc.
>
> Replying to the other thread to join both threads to one:
>> Also about PKCS#11 interface. I am all for PKCS#11 interface for client
>> exposed from SSSD that uses whatever means to fetch the central keys 
>> it being
>> SSH keys, gnome keyring keys or something else.
> AFAIK that is exactly the plan.
>
>> I do not see a reason for IPA
>> to expose a remote PKCS#11 interface. If we need a remote PKCS#11 
>> interface
>> (please insert why here) then it should be a part of the vault API 
>> rather than
>> anything else.
> I'm not sure that I understand...
>
> PKCS#11 is just a set of functions, for an application it is a library.
>
> An application just calls the PKCS#11 API and knows nothing about 
> implementation details so there is nothing like 'remote PKCS#11'. As I 
> said above, SSSD will be behind scenes. Everything is local except the 
> data storage in LDAP or vault, it doesn't matter.
>
> Maybe I misunderstood you, sorry.
>
Remote means that there is a PKCS#11 library that can be loaded into a 
process and would remotely connect to a central server via 
LDAP/REST/whatever. My point is that library should be light weight and 
always talk to a local service like SSSD rather than have a remote 
interface. In this case SSSD on the server can talk to the vault or IPA 
LDAP directly and all consumers would use PKCS#11 interface exposed by SSSD

Something like this...

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140304/c5146ade/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bagjhfhh.png
Type: image/png
Size: 31680 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140304/c5146ade/attachment.png>