[Freeipa-devel] isolated pkcs11 module
Petr Spacek
pspacek at redhat.com
Wed Oct 22 11:16:34 UTC 2014
Hello,
On 15.10.2014 16:24, Nikos Mavrogiannopoulos wrote:
> Hi,
> Concerning: https://bugs.freedesktop.org/show_bug.cgi?id=51949#c3
> What are your requirements? We currently have working code (but not yet
> merged) for an isolated security module via p11-kit. Our requirements
> are to protect private keys by keeping them outside a process' boundary.
FreeIPA has the same requirement in this regard + couple more.
> The main target is to run softhsm (v2) in an isolated mode. If we can
This was our plan too :-)
> combine efforts would be nice.
Definitely!
The original intent was to design LDAP-backed PKCS#11 module which will be
used for CA certificate distribution to clients.
E.g. SSSD would download the CA certificates managed by FreeIPA to client and
expose them via PKCS#11 to p11-kit. We hope that this would allow almost
seamless CA roll-over.
This is in scope of https://fedorahosted.org/freeipa/ticket/4322
Later we found out that DNSSEC support in FreeIPA needs to distribute and
share private keys among all FreeIPA DNS servers. It seems that LDAP-backed
PKCS#11 backend could be used for the same purpose.
The idea how it can be done in secure way is described on:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm#Keydistribution
We did not get to coding it yet but the very rough idea was to wrap local
SoftHSM instance and use SSSD to do two-way synchronization between local HSM
and LDAP-backend.
It certainly could be extended to handle user credentials too (SSH private
keys or passwords in GNOME keyring?).
Jan Cholasta (CCed) can add more details, he is the main architect of this
solution :-)
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list