PKI (Was: Re: Meeting Log - 2009-11-19)

Greg Swift gregswift at gmail.com
Fri Nov 20 01:26:42 UTC 2009 

On Thu, Nov 19, 2009 at 18:25, Mike McGrath <mmcgrath at redhat.com> wrote:

> On Fri, 20 Nov 2009, Mathieu Bridon (bochecha) wrote:
>
> > Hi,
> >
> > > 20:25 < dgilmore> mmcgrath: id like to try work on updating koji auth/
> and notifications during F-13 life cycle
> > > 20:26 < ricky> PKI would be nice too :-)
> > > 20:26 -!- |pitr| [n=kvirc at 91.150.139.57] has joined #fedora-meeting
> > > 20:26 < mmcgrath> #idea updating koji auth and notifications
> > > 20:26 < mmcgrath> #idea pki (ricky says he'll do this and it'll be done
> by january)
> > > 20:26 < mmcgrath> :-P
> > > 20:26  * ricky runs
> > [snip]
> > > 20:28 < smooge> pki?
> > > 20:28 < smooge> sorry.. will talk off chan
> > > 20:28 < mmcgrath> smooge: yeah our pki right now is very... ehh manual
> > > 20:28 < mmcgrath> and not fun to manage :)
> >
> > Not sure that's what you're looking for, but the guys I work with have
> > created this neat Python module to handle CAs and certs:
> > http://bitbucket.org/faide/pki/
> >
> > It's free software (MIT or PSF).
> >
>
> I think anything helps, we've been looking at dogtag for a while but
> nothing has materialized yet.  It's good to keep our options open.
>
>
I played with koji a while back, and one thought that I had at the time was
about getting it to work with certmaster.   I would think that based on the
description from its product page that it would meet the conceptual
requirements:

>From https://fedorahosted.org/certmaster/

   - Certmaster is a set of tools and a library for easily distributing SSL
   certificates to applications that need them
   - Certmaster originated in the Func <https://fedorahosted.org/func>project
   - Any application can use certmaster for easy exchange of SSL
   certificates
   - Certmaster has a a python API and command line tool provided
   ("certmaster-request") for requesting certificates
   - A daemon, called "certmaster" is included to hand certificates out
   - The tool "certmaster-ca" is used to list certs and sign them when
   requests come in.
   - autosigning of new certificate requests is also supported but is off by
   default.
   - configuration is all done via minimal text files
   - certmaster has extensive audit logs of certificate operation

When I've looked at certmaster in the past I personally felt it needed a
touch more configuration to allow for the actual signing of certificates by
multiple applications, but a good frame work is in place, and its works
fairly well for func.

One part I know it is definitely lacking is the user certificates.

-greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20091119/e3e09107/attachment.htm>

More information about the Fedora-infrastructure-list mailing list