[Freeipa-interest] Interest in certificate management functions in IPA
Joshua Daniel Franklin
jdf.lists at gmail.com
Tue Nov 13 16:53:46 UTC 2007
On Nov 13, 2007 7:26 AM, Karl MacMillan wrote:
> On Mon, 2007-11-12 at 22:22 -0800, Joshua Daniel Franklin wrote:
> > However, a word of caution that if you start talking
> > about anything beyond machine-level certificates
> > (such as SSL/TLS tied to a DNS name) the world gets
> > very complicated and as far as I can tell there's no
> > interopability. Even the SOAP WS-Security
> > "standard" seems abandoned.
>
> We were thinking machine-level certificates initially potentially moving
> to user certs for signing and encryption. What other areas would be of
> interest.
Well, just let me say what we wanted from WS-Security; there is a good
2003 article about the problem and the PKI requirements:
http://www.ibm.com/developerworks/webservices/library/ws-security.html
Basically it's an integrity / confidentiality / authentication standard. (The
problem with SOAP is that it's gotten to the point that the big players are
going in different directions and so implementations are no longer
compatible beyond simple operations, but you don't need to worry about
that.)
If you'd even be interested in going beyond that, there's the paragraph
here about problems with proxy requests:
http://en.wikipedia.org/wiki/Web_Services_Security#Alternative.28s.29
There are of course many possible reasons for an application to make
requests on behalf of a third party. I'm not sure what the best mechanism
for this would be, but a lot of automatic certificate generation wouldn't
hurt. :)
More information about the Freeipa-interest
mailing list