[Freeipa-devel] Yet another user certificates/Smart Card thread

Martin Babinsky mbabinsk at redhat.com
Mon May 25 12:55:39 UTC 2015 

Hello all, long post ahead!

I became a proud owner of https://fedorahosted.org/freeipa/ticket/4238, 
and while Martin's design page 
(http://www.freeipa.org/page/V4/User_Certificates) brings a 
comprehensive overview of what should be done, there are still some gray 
areas we should address both in the design page and the actual 
implementation.

These are the things that were agreed upon in previous thread(s):

1.) If the whole user certificates are available, the should be stored 
directly in the user entry as an attribute of the following format:

     "userCertificate;binary;$id",

where "id" should be an unique identifier. IIRC we agreed that the 
first/last 4 bytes of cert's SHA512 hash should fill the 'id' role 
nicely. During user authentication the whole binary blob would be 
matched (pspacek pointed out that the cost of this operation is acceptable).

2.) In addition, or when the user certs are stored externally, we should 
store the certificate metadata in the user entry. These metadata should 
be represented by "userCertAttrs;$id;$attr" attributes, where $attr 
subtype corresponds to the type of metadata (issuer, serial no., profile 
id, certificate hash etc.). The authentication/lookup would require some 
custom matching rule to fetch the correct cert.

Point 1. seems clear to me, we need to implement an index for 
userCertificate attribute in DS and modify 'user-add/mod' commands to 
allow for direct enrollment through API ("--usercertificate" option).

Point 2. requires more work: we need to add a new attribute 
"userCertAttrs" to the schema and create DS index/custom matching rule 
for searching. I'm also not quite sure how to approach the task of 
getting these metadata from external storage and putting them to the 
user entry.

These are the questions that should be addressed in a broader discussion:

What is the relation to Fraser's work (cert profiles/sub-CAs)? I have 
seen that the recent iteration of Fraser's patches (0010-3 and 0011-3) 
add some ACIs and attributes/requests related to user certificates. I 
suppose that the only way the user certs are related to cert profile 
will be that there will be a profile ID stored either in cert itself, or 
as a separate userCertAttr;$id;profileId attribute in user entry.

What to do with user certs when the entry is deleted? Should we revoke 
them or let them expire?

In the case that the user cert is stored in a separate location and not 
available to FreeIPA, how will we get the required attributes (see point 
2) to the user entry in LDAP tree?

How much of this work should actually be done in 4.2 timeframe? I guess 
all work related to point 1 will be done, but what about other features?

If I forgot something or got it wrong, please correct me.

Whew, this mail got out of hand quickly. Anyway let the discussion begin!

-- 
Martin^3 Babinsky

More information about the Freeipa-devel mailing list