[Freeipa-devel] User Certificates in 4.2 - design and questions
Martin Kosek
mkosek at redhat.com
Mon May 4 08:50:15 UTC 2015
Hello,
Please let me promote the design for one of the major FreeIPA 4.2 features, the
(user) certificates and Smart Card integration:
http://www.freeipa.org/page/V4/User_Certificates
The design went through couple interim discussions between developers outside
of this list, so there should not be too many objections. But still, please
free to comment or improve the design yourself.
For FreeIPA 4.2, I think this resolves in following, quite limited, scope of work:
* Adding eq, pres indices for userCertificate
* Applying new policy of storing certificate in userCertificate attribute,
based on upcoming Certificate Profile feature by Fraser.
* Making sure that multiple certificates can be added to userCertificate
attribute manually by CLI and UI
The "Certificate Identity Mapping" part will probably be moved to 4.3+, unless
there is extra pool of development resources.
There is still something to be resolved - how should the certificates be
revoked in object-del or object-disable actions? Currently, certificate is
always stored in userCertificate and it's serial is used for revoke operation
in Dogtag. But that will not be true in 4.2+ since some certificates will not
be stored in accounts.
Do we only want to revoke those that have policy to be stored in the
userCertificate attribute? Does not sound right to me. Or do we need a Dogtag
API that would allow us to query (or even revoke directly) all certificates
generated for a user/service/host and revoke them, regardless whether they are
stored in userCertificate attribute or not?
Thanks.
--
Martin Kosek <mkosek at redhat.com>
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
More information about the Freeipa-devel
mailing list