[Freeipa-devel] Dogtag lightweight sub-CAs; updated design
Fraser Tweedale
ftweedal at redhat.com
Tue Oct 7 03:31:09 UTC 2014
Hi all,
The Dogtag lightweight sub-CAs design has undergone major revision
and expansion ahead of beginning the implementation (I plan to begin
later this week). This feature will provide an API for admins to
create sub-CAs for separate security domains and augment the
existing API so that certificates requests can be directed to a
particular sub-CA.
This feature will be used in FreeIPA for issuing user or service
certificates for particular purposes (that will be rejected when use
for other purposes).
Please review the document and provide feedback.
http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs
Feedback/suggestions for the REST API (that FreeIPA will use) and
ACI considerations (e.g. is it appropriate to use the existing
"agent" credential or should a separate credential or more
fine-grained ACIs be used) are particularly encouraged.
Cheers,
Fraser
More information about the Freeipa-devel
mailing list