Fedora CA Project

[Dennis Gilmore]

We have come to the realisation that this has to be done sooner rather than 
later.  So i'm putting out a call for help and for feedback.

We need to revamp the CA infrastructure used in Fedora.  

This is where Id like to see us go.  

Publish a Certificate Revocation list so that all apps can check for revoked 
certs

Have users able to revoke their own cert
Have user certs be revoked when they request a new cert
Have admins able to create/revoke certs

Their are 2 types of certificates currently handled by 2 CA's  I really want 
to use a single CA for all:

Type 1)  user certs.  used for plague/koji/cvs upload access.  there is work 
underway to use these for other fedora web based apps also.

Type 2) Builders, kojira, internal service authentication.   


Products to be evaluated:

http://pki.fedoraproject.org/wiki/PKI_Main_Page  
https://www.openca.org/
http://ejbca.sourceforge.net/
Something custom

FAS will need modification to work with the new framework.  I also want to 
allow fedora-packager-setup  to grab the cert directly rather than having the 
user manually do it.  probably with a flag for when to get a new cert. 

All users will need to get new user certs when we make the change. as well as 
koji hub, all builders, koji garbage collection, bodhi, It would also be a 
good time to deploy ssl auth for other apps. 

We have a ticket https://fedorahosted.org/fedora-infrastructure/ticket/466

Please make suggestions for other apps we could use,  also ideas for making 
the workflow better.

So this is a brief overview of whats needed.  Im going to open the floor for a 
week for open discussion on how we should best do this.

Dennis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20080325/044a8da0/attachment.sig>