[Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication

Martin Babinsky mbabinsk at redhat.com
Tue Jan 10 09:48:08 UTC 2017 

Hi Fraser,

I have some rather inane comments. I guess Jan cholasta will do a more 
thorough review of your design. See below:

On 01/06/2017 09:08 AM, Fraser Tweedale wrote:
> Hi comrades,
>
> I have written up the high-level details of the FreeIPA->Dogtag
> GSS-API authentication design.  The goal is improve security by
> removing an egregious privilege separation violation: the RA Agent
> cert.
>
> There is a fair bit of work still to do on the Dogtag side but
> things are shaping up there and it's time to work out the IPA
> aspects.  The design is at:
>
>   http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication

first of all, you link a internal document from publicly available 
design page. you should prepare a publicly visible version of the 
Dogtag-side design and link that.

It would also be nice to have a high-level graphical representation of 
the proposed CSR processing workflow. I think you can re-use the one 
that is in the Dogtag part, omit the Dogtag internals and add 
IPA-specific parts.

>
> Right now, I need feedback about the Domain Level aspects: whether
> it is the right approach, whether there are mechanisms to perform
> update steps (specifically: LDAP updates and/or api calls) alongside
> a DL bump, or if there aren't, how to deal with that (implement such
> a mechanism, make admins do extra steps, ???).
>

Is the DL bump really necessary? Are you sure we really can not just 
update the profile configuration and let older Dogtag installation 
handle it gracefully? IIRC we have done some profile inclusion work in 
4.2 development and on and never really bothered about older Dogtag 
understanding them.

Anyway I guess we can call `certprofile-import' to load 
ExternalProcessConstraint-enabled profile upon setting domain level to 
2, we just have to know where on the FS it is located.

> Of course, any other general or specific feedback is welcome.
>
> Thanks,
> Fraser
>

So if I understand correctly there will be no change in CA ACL 
management interface and only the code which evaluates them will be 
factored out into 'ipa-pki-validate-cert-request' command? Also, 
wouldn't it simpler if the CA ACL evaluation was delegated to a separate 
API command instead? ExternalProcessConstraint would then only ask IPA 
JSON api and process the response.

-- 
Martin^3 Babinsky

More information about the Freeipa-devel mailing list