[Freeipa-devel] Dogtag lightweight sub-CAs; updated design
Simo Sorce
simo at redhat.com
Thu Oct 9 13:06:47 UTC 2014
On Tue, 07 Oct 2014 16:32:24 +0200
Petr Spacek <pspacek at redhat.com> wrote:
> Naturally this forces applications to use PKCS#11 for all crypto so
> the raw key never leaves HSM. Luckily DNSSEC software is built around
> PKCS#11 so it was a natural choice for us.
>
> Personally, I would say that this is the way to go.
I think this should be a goal indeed. However I'd be content if the
proxy process I described would use SoftHSM to retrieve the secrets to
hand them out (or proxy the calls by using them to authenticate) for
now. But yes the idea is that we store them encrypted in LDAP and the
only thing we do is to add ipa servers public keys to LDAP as a way to
distribute access to master keys.
The CA stuff is slightly different though.
We really have only 2 ways here:
1. keep using certificates and build a proxy service that uses GSSAPI
for authenticating received requests, then turn around and fetch a
corresponding cert only the proxy has access to and reply the same
command to the CA using this cert for auth.
2. Teach dogtag to use GSSAPI for authenticating these requests and
then just tell it which principals (or groups of principals) are
allowed to perform operations instead of using certs.
Of course 2 would be much simpler.
Fraser, how hard do you think it would be to add #2 ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list