[Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication
Martin Babinsky
mbabinsk at redhat.com
Tue Jan 10 09:48:08 UTC 2017
Hi Fraser,
I have some rather inane comments. I guess Jan cholasta will do a more
thorough review of your design. See below:
On 01/06/2017 09:08 AM, Fraser Tweedale wrote:
> Hi comrades,
>
> I have written up the high-level details of the FreeIPA->Dogtag
> GSS-API authentication design. The goal is improve security by
> removing an egregious privilege separation violation: the RA Agent
> cert.
>
> There is a fair bit of work still to do on the Dogtag side but
> things are shaping up there and it's time to work out the IPA
> aspects. The design is at:
>
> http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
first of all, you link a internal document from publicly available
design page. you should prepare a publicly visible version of the
Dogtag-side design and link that.
It would also be nice to have a high-level graphical representation of
the proposed CSR processing workflow. I think you can re-use the one
that is in the Dogtag part, omit the Dogtag internals and add
IPA-specific parts.
>
> Right now, I need feedback about the Domain Level aspects: whether
> it is the right approach, whether there are mechanisms to perform
> update steps (specifically: LDAP updates and/or api calls) alongside
> a DL bump, or if there aren't, how to deal with that (implement such
> a mechanism, make admins do extra steps, ???).
>
Is the DL bump really necessary? Are you sure we really can not just
update the profile configuration and let older Dogtag installation
handle it gracefully? IIRC we have done some profile inclusion work in
4.2 development and on and never really bothered about older Dogtag
understanding them.
Anyway I guess we can call `certprofile-import' to load
ExternalProcessConstraint-enabled profile upon setting domain level to
2, we just have to know where on the FS it is located.
> Of course, any other general or specific feedback is welcome.
>
> Thanks,
> Fraser
>
So if I understand correctly there will be no change in CA ACL
management interface and only the code which evaluates them will be
factored out into 'ipa-pki-validate-cert-request' command? Also,
wouldn't it simpler if the CA ACL evaluation was delegated to a separate
API command instead? ExternalProcessConstraint would then only ask IPA
JSON api and process the response.
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list