[Pki-devel] Why we need to focus on the API for PKI moving forward.

[Adam Young]

He posted a follow up on why he took it down:

https://plus.google.com/110981030061712822816/posts

OK, lets assume that Dogtag PKI is going to be wildly successful.  Cuz, 
we all know that to be the fact.  By wildly successful I mean that there 
is an installation in many companies.  Everyone in that company that 
needs a certificate, that needs decent PKI infrastructure has access to 
one. How are they going to use it?

Lots of ways.  Too many to count.  Some will do what Candlepin is doing 
and use it to track who can connect to what network.  The legal 
department will use it to sign documents.  IT will use it to make sure 
that only trusted people can get into the datacenter.  All the use cases 
we currently know about and more.

For example,  Web Single Sign on is a big deal these days, but when you 
get right down to it, all the implementation resolve to:  redirect to 
this server over here and log on with your userid and password.


Userid and password?  What is this, 1983?

Login:pfalker:
Password:Joshua.
Would you like to play a nice game of chess?

Kerberos is a much better solution.  The only problem is that it goes 
through ports other than the universally sanctioned 80/443.  So, unless 
a means to proxy Kerberos via 443 comes around, and then gets 
implemented in all browsers, Kerberos will be restricted to inside the 
corporate firewall.

If only there were a cryptographically secure way to log into a web 
application that worked in all browsers and through standard ports...

OK, so Web Single Sign on could easily be the killer app for Dogtag.  
But we don't need to bet the farm on it.  We need to make it so that 
everyone can use Dogtag, and use it easily.  A good, web services based 
API is "Necessary but not sufficient."  What else do we need?

Dogtag does an innovative form of Authentication.  It uses the Client 
certificate to find out who you are, and then looks up in LDAP to find 
out the rest of your user information.  This mechanism needs to be made 
into a reusable authentication Realm so it can be used by other 
applications running in Tomcat and JBoss.

Down the road, we will want to port it to HTTPD as well as to talk JDBC 
to a Relational Databases as well, but really, if we are successful, 
someone else out there may just take care of that for us.

We know need to make it easy to install.  We are looking at pkicreate 
and pkisilent  with an eye to streamlining and simplifying the install 
process.

We need examples of people using Dogtag.  eCommerce,  Legal, Medical 
(HIPPA!),   Educational sites that use Dogtag as their PKI implementation.

We need to get the word out.  The long time Dogtag developers are the 
people who know PKI better than anyone.  Not in the abstract sense, but 
in the "Done it in the real world, under load, for very important 
systems" sense.  Dogtag is a mature, complete, Open Source, PKI 
implementation.  When you search Google for "Open Source PKI", you 
should have to scroll to the second page to find a mention of something 
other than Dogtag or one of its derivatives.