Fedora CA Project
Dennis Gilmore
dennis at ausil.us
Tue Mar 25 23:04:16 UTC 2008
We have come to the realisation that this has to be done sooner rather than
later. So i'm putting out a call for help and for feedback.
We need to revamp the CA infrastructure used in Fedora.
This is where Id like to see us go.
Publish a Certificate Revocation list so that all apps can check for revoked
certs
Have users able to revoke their own cert
Have user certs be revoked when they request a new cert
Have admins able to create/revoke certs
Their are 2 types of certificates currently handled by 2 CA's I really want
to use a single CA for all:
Type 1) user certs. used for plague/koji/cvs upload access. there is work
underway to use these for other fedora web based apps also.
Type 2) Builders, kojira, internal service authentication.
Products to be evaluated:
http://pki.fedoraproject.org/wiki/PKI_Main_Page
https://www.openca.org/
http://ejbca.sourceforge.net/
Something custom
FAS will need modification to work with the new framework. I also want to
allow fedora-packager-setup to grab the cert directly rather than having the
user manually do it. probably with a flag for when to get a new cert.
All users will need to get new user certs when we make the change. as well as
koji hub, all builders, koji garbage collection, bodhi, It would also be a
good time to deploy ssl auth for other apps.
We have a ticket https://fedorahosted.org/fedora-infrastructure/ticket/466
Please make suggestions for other apps we could use, also ideas for making
the workflow better.
So this is a brief overview of whats needed. Im going to open the floor for a
week for open discussion on how we should best do this.
Dennis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20080325/044a8da0/attachment.sig>
More information about the Fedora-infrastructure-list
mailing list