<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> On 08/03/2011 01:16 PM, Ian Stokes-Rees wrote: <blockquote cite="mid:4E39826C.6070005@hkl.hms.harvard.edu" type="cite"> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> On 8/3/11 12:38 PM, Adam Young wrote: <blockquote class=" cite" id="mid_4E397995_90403_redhat_com" cite="mid:4E397995.90403@redhat.com" type="cite"> I think what you are interested in is the Data Recovery Manager (DRM...hey, we had the acronym first, but we also call it Key Recovery ) aspect of Certificate Server.</blockquote> That is awesome. That is exactly what I want. Do you have experience with this? If so, does it work if the certificate requests are being handled by an external entity? We use a Department of Energy CA located in California, but the users in our community are from across the US (and international), and we're looking to improve the process of them acquiring a usable "identity" in a federated environment. We're using FreeIPA internally, but if we can link it in to the cert request process and cert mgmt process (from the user end, not the CA end) that would be great. Ian </blockquote> Experience? I've been on the Dogtag project for over a week now. I'm learning about it as we speak. The place to ask about Dogtag and the pki products is <a href="http://www.redhat.com/mailman/listinfo/pki-users" class="external text" title="http://www.redhat.com/mailman/listinfo/pki-users" rel="nofollow">pki-users@redhat.com</a> and the IRC Channel on freednode is #dogtag-pki. Integrating KRA into IPA is on the map, although I am not sure the timeframe. However, I suspect that our approach would be assuming you wanted your own CA. Not sure if you can do KRA with an external CA. </body> </html>