[Freeipa-devel] DNSSEC design page: key wrapping
Simo Sorce
simo at redhat.com
Wed Mar 5 04:10:45 UTC 2014
On Tue, 2014-03-04 at 18:32 -0500, Dmitri Pal wrote:
> Remote means that there is a PKCS#11 library that can be loaded into a
> process and would remotely connect to a central server via
> LDAP/REST/whatever. My point is that library should be light weight
> and always talk to a local service like SSSD rather than have a remote
> interface. In this case SSSD on the server can talk to the vault or
> IPA LDAP directly and all consumers would use PKCS#11 interface
> exposed by SSSD
>
> Something like this...
Yes this is the setting we are discussing, the actual specific
discussion is how SSSD gets the information.
Honza proposed to use a PKCS#11-like schema to store data in LDAP given
DNS will need something similar, however the more we wandered into the
discussion the more I got convinced the Vault is probably a better place
to store this material than the LDAP tree itself at least for prvate
keys.
For public key material only though I am not sure a pkcs#11 schema will
necessarily be useful. It might, but we do not use it for public SSH
keys. And we also already have schema for public User or Servers X509
certs.
We need to define something for DNS public keys, but they are already
published in DNS Records too if I am not wrong, would that be sufficient
as a storage for the public part ? I am assuming the private keys are
stored in the Vault and they can be files in the format used by bind ?
Simo.
>
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list