Fedora CA Project

Dennis Gilmore dennis at ausil.us
Thu Apr 10 20:17:23 UTC 2008 

On Tuesday 25 March 2008, Dennis Gilmore wrote:
> We have come to the realisation that this has to be done sooner rather than
> later.  So i'm putting out a call for help and for feedback.
>
> We need to revamp the CA infrastructure used in Fedora.
>
> This is where Id like to see us go.
>
> Publish a Certificate Revocation list so that all apps can check for
> revoked certs
>
> Have users able to revoke their own cert
> Have user certs be revoked when they request a new cert
> Have admins able to create/revoke certs
>
> Their are 2 types of certificates currently handled by 2 CA's  I really
> want to use a single CA for all:
>
> Type 1)  user certs.  used for plague/koji/cvs upload access.  there is
> work underway to use these for other fedora web based apps also.
>
> Type 2) Builders, kojira, internal service authentication.
>
>
> Products to be evaluated:
>
> http://pki.fedoraproject.org/wiki/PKI_Main_Page
> https://www.openca.org/
> http://ejbca.sourceforge.net/
> Something custom
>
> FAS will need modification to work with the new framework.  I also want to
> allow fedora-packager-setup  to grab the cert directly rather than having
> the user manually do it.  probably with a flag for when to get a new cert.
>
> All users will need to get new user certs when we make the change. as well
> as koji hub, all builders, koji garbage collection, bodhi, It would also be
> a good time to deploy ssl auth for other apps.
>
> We have a ticket https://fedorahosted.org/fedora-infrastructure/ticket/466
>
> Please make suggestions for other apps we could use,  also ideas for making
> the workflow better.
>
> So this is a brief overview of whats needed.  Im going to open the floor
> for a week for open discussion on how we should best do this.
>
> Dennis

To follow up on this.  Im going to be looking at dogtag first.  Ive had a 
promise from them to help us when we have issues. 

OpenCA seems to have stalled development wise.

ejbca has a very heavy footprint.

something Custom i think is too big of a task. 

So people wanting to help with setting up, implementing and testing please 
raise your hands now.

Dennis


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20080410/e85e2050/attachment.sig>

More information about the Fedora-infrastructure-list mailing list