[Pki-devel] The Why's of PKI

Andrew Wnuk awnuk at redhat.com
Wed Sep 14 00:48:59 UTC 2011 

On 09/13/2011 06:41 AM, Adam Young wrote:
> The Layout of the PKI project is very unusual for a Java Server 
> application.

> I'm trying to understand the rationale for some of the things that 
> were done.
>
> Why do we create a separate server instance for each subsystem?

Because each subsystem is a standalone server.

> Is a  reason to continue doing so?

It provides great flexibility in deploying Certificate Server

>
> Is using different ports for CA and DRM (an so forth)  merely an 
> artifact of using multiple servers, or is there an additional  reason 
> to do so?

Pkicreate tool allows selecting any ports.  Pkicreate also suggests 
ports for out of the box ease of use.

>
> Do we expect the same user to have and user different certificates for 
> different servers,

This is a matter of deployment strategy.

> such that the certificate then becomes a union of authentication and 
> authorization?

Certificates are the source of identity.  Authorization is a separate 
process based on verified identity.

>
> Is there a  reason to separate the CA and DRM Directory servers?

Protection of archived keys.

>   Is it a "best practice" to do so?  What would be the implications of 
> using a single instance for both?
>
> Is there any reason why the CA uses an LDAP server instead of a 
> Relational Database?

X509 certificates are using the same distinguished names as LDAP.
Many identity products are based on directories.
Provides very secure access options.
Provides robust replication over secure channel.

>   Do we expect people to make queries dircetyl against the  CA  DirSrv,

No

> or is the Database best hidden from public view?
>
> Why do we split the build process up into multiple Source RPMS?

>   Is there a reason to maintain this split?
>
> Are there design documents or discussions for these decisions?

Yes, please look for "Legacy Certificate Management System Website" on 
the internal CS wiki.

>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list