<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 08/03/2011 02:29 PM, Adam Young wrote:
<blockquote cite="mid:4E399382.9000805@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 08/03/2011 01:16 PM, Ian Stokes-Rees wrote:
<blockquote cite="mid:4E39826C.6070005@hkl.hms.harvard.edu"
type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<br>
<br>
On 8/3/11 12:38 PM, Adam Young wrote:<br>
<blockquote class=" cite" id="mid_4E397995_90403_redhat_com"
cite="mid:4E397995.90403@redhat.com" type="cite"> I think what
you are interested in is the Data Recovery Manager (DRM...hey,
we had the acronym first, but we also call it Key Recovery )
aspect of Certificate Server.</blockquote>
<br>
That is awesome. That is exactly what I want.<br>
<br>
Do you have experience with this? If so, does it work if the
certificate requests are being handled by an external entity?
We use a Department of Energy CA located in California, but the
users in our community are from across the US (and
international), and we're looking to improve the process of them
acquiring a usable "identity" in a federated environment. We're
using FreeIPA internally, but if we can link it in to the cert
request process and cert mgmt process (from the user end, not
the CA end) that would be great.<br>
<br>
Ian<br>
</blockquote>
Experience? I've been on the Dogtag project for over a week
now. I'm learning about it as we speak.<br>
<br>
The place to ask about Dogtag and the pki products is <a
moz-do-not-send="true"
href="http://www.redhat.com/mailman/listinfo/pki-users"
class="external text"
title="http://www.redhat.com/mailman/listinfo/pki-users"
rel="nofollow">pki-users@redhat.com</a> and the IRC Channel on
freednode is <b>#dogtag-pki.<br>
<br>
</b>Integrating KRA into IPA is on the map, although I am not sure
the timeframe. However, I suspect that our approach would be
assuming you wanted your own CA. Not sure if you can do KRA with<b>
</b>an external CA.<b><br>
</b>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
DRM is the way to go. However it does not support symmetric keys
now. This is the pert that we need for volume keys. May be it is the
vault to store all sorts of keys. This is something that needs to be
designed and looked at as a broader perspective. <br>
Adam likes to repeat a phase about dreaming big so I do. I want IPA
to be a vault for all sorts of keys and passwords and what else. If
DRM is the answer - great. <br>
I can start listing the use cases that such a key store should
satisfy and we can design something that would altimately fit the
build but build gradually knocking use cases one by one.<br>
I will take an action idem to come with the use cases. Give me
couple weeks as I am under water now...<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>