[Freeipa-devel] [RFE] CA-less install

John Dennis jdennis at redhat.com
Fri Mar 29 14:40:47 UTC 2013 

On 03/29/2013 07:57 AM, Petr Viktorin wrote:
> On 03/27/2013 04:40 PM, John Dennis wrote:
>> On 03/27/2013 11:23 AM, Petr Viktorin wrote:
>>> I don't want to check the subject because this RFE was prompted by IPA's
>>> normal CA rejecting valid wildcart certs. Is there a reasonable way to
>>> ask NSS if it will trust the cert?
>>
>> Yes. NSS provides a variety of tools to test validation.
>>
>> Going just on memory here, our current version of python-nss has a
>> simple call to test validation. Sometime in the last year I added a fair
>> amount of new support for certificate validation including getting back
>> diagnostic information for validation failures, however if I recall
>> correctly the extended functionality in python-nss has not been released
>> yet.
>
> Does the new code include downloading and importing CRLs?

Cert verification is a complex topic. This is further exacerbated by the 
introduction of PKIX. My understanding is NSS had "classic" verification 
code and later introduced PKIX. There has been an evolution between 
classic verification and PKIX. This is outside my domain of expertise. 
How and when CRL's are loaded in NSS is not something I can give advice 
on, especially in an area undergoing change.

I'm going to have to defer to an expert in this area, Bob Relyea, I've 
CC'ed him on this email.

Bob, to put this in context [1] the functionality in python-nss being 
discussed is the binding of the CERT_VerifyCertificate() function, 
something I added recently. Now the question arises as to how CRL's are 
meant to play into the verification process. Can you please explain how 
NSS expects this to be done? Pointers to existing documentation and code 
examples would also be helpful.

It would also be helpful to understand the PKIX roadmap and how this 
might affect coding decisions at the API level.

[1] Some additional context, the original motivation for exposing NSS 
cert verification to IPA was to solve the following problem. If someone 
wants to make the IPA CA a sub-CA (as opposed to a self-signed CA) we 
want to validate the externally provided CA cert *before* proceeding 
with the IPA installation. This is because if the CA cert is invalid 
everything will hugely blow-up (because we use the CA cert to sign all 
the certs issued in IPA, especially those used to validate cooperating 
components/agents, if those certs do not work nothing in IPA works). In 
addition to this narrow goal we in general want to be able to perform 
cert verification correctly in other contexts as well so the extent to 
which you can educate us in general on this topic will be appreciated.



-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list