[Pki-devel] The Why's of PKI
Andrew Wnuk
awnuk at redhat.com
Wed Sep 14 00:48:59 UTC 2011
On 09/13/2011 06:41 AM, Adam Young wrote:
> The Layout of the PKI project is very unusual for a Java Server
> application.
> I'm trying to understand the rationale for some of the things that
> were done.
>
> Why do we create a separate server instance for each subsystem?
Because each subsystem is a standalone server.
> Is a reason to continue doing so?
It provides great flexibility in deploying Certificate Server
>
> Is using different ports for CA and DRM (an so forth) merely an
> artifact of using multiple servers, or is there an additional reason
> to do so?
Pkicreate tool allows selecting any ports. Pkicreate also suggests
ports for out of the box ease of use.
>
> Do we expect the same user to have and user different certificates for
> different servers,
This is a matter of deployment strategy.
> such that the certificate then becomes a union of authentication and
> authorization?
Certificates are the source of identity. Authorization is a separate
process based on verified identity.
>
> Is there a reason to separate the CA and DRM Directory servers?
Protection of archived keys.
> Is it a "best practice" to do so? What would be the implications of
> using a single instance for both?
>
> Is there any reason why the CA uses an LDAP server instead of a
> Relational Database?
X509 certificates are using the same distinguished names as LDAP.
Many identity products are based on directories.
Provides very secure access options.
Provides robust replication over secure channel.
> Do we expect people to make queries dircetyl against the CA DirSrv,
No
> or is the Database best hidden from public view?
>
> Why do we split the build process up into multiple Source RPMS?
> Is there a reason to maintain this split?
>
> Are there design documents or discussions for these decisions?
Yes, please look for "Legacy Certificate Management System Website" on
the internal CS wiki.
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list