[Freeipa-devel] Dogtag lightweight sub-CAs; updated design

Mon Oct 13 05:54:29 UTC 2014

On Tue, Oct 07, 2014 at 01:47:05PM +0200, Martin Kosek wrote:
> On 10/07/2014 05:31 AM, Fraser Tweedale wrote:
> > Hi all,
> > 
> > The Dogtag lightweight sub-CAs design has undergone major revision
> > and expansion ahead of beginning the implementation (I plan to begin
> > later this week).  This feature will provide an API for admins to
> > create sub-CAs for separate security domains and augment the
> > existing API so that certificates requests can be directed to a
> > particular sub-CA.
> > 
> > This feature will be used in FreeIPA for issuing user or service
> > certificates for particular purposes (that will be rejected when use
> > for other purposes).
> > 
> > Please review the document and provide feedback.
> > 
> >     http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs
> > 
> > Feedback/suggestions for the REST API (that FreeIPA will use) and
> > ACI considerations (e.g. is it appropriate to use the existing
> > "agent" credential or should a separate credential or more
> > fine-grained ACIs be used) are particularly encouraged.
> > 
> > Cheers,
> > 
> > Fraser
> 
> Thanks for sharing the design! Couple initial comments:
> 
> > Creating sub-CAs
> >
> > Creation of sub-CAs at any time after the initial spawning of an CA instance
> > is a requirement. Preferably, restart would not be needed, however, if needed,
> > it must be able to be performed without manual intervention.
> 
> I am all for having the operation in effect without requiring restart,
> especially given the change is in replicated tree. What do you mean by "restart
> without manual operation"? That Dogtag would restart itself when it detects
> that subCA would be added?
> 
This is an artifact of earlier discussions.  The requirement was
that if a restart was required to complete the addition of a sub-CA,
it could be triggered automatically.  But I think it is now clear
that it should be possible to do it without a restart.

> > Key generation and storage
> 
> Are we referring to
> http://www.freeipa.org/page/V4/PKCS11_in_LDAP
> http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema
> ? Contact people: Jan Cholasta, Petr Spacek
> 
(Probably clear from the subsequent discussion, but for the sake of
a direct answer...)  No, not specifically referring to the above.
The requirement is to generate sub-CA signing keys and propagate
them to clones, securely; this is for a Dogtag CA subsystem feature,
so it should be possible to do it without a KRA subsystem, SSSD,
etc.

> 
> > ACI considerations
> 
> Agent credential is used by FreeIPA web interface, all authorization is then
> done on python framework level. We can add more agents and then switch the used
> certificate, but I wonder how to use it in authorization decisions. Apache
> service will need to to have access to all these agents anyway.
> 
> First we need to think how fine grained authorization we want to do. I think we
> will want to be able to for example say that user Foo can generate certificates
> in specified subCA. I am not sure it is a good way to go, it would also make
> such private key distribution on IPA replicas + renewal a challenge.
> 
> Right now, we only have "Virtual Operations" concept to authorize different
> operations with Dogtag CA, but it does not distinguish between different CAs.
> We could add a new Virtual Operation for every subCA, but it looks clumsy. But
> the ACI-based mechanism and our permission system would still be the easiest
> way to go, IMHO, compared to utilizing PKI agents.
> 
> Martin