[Pki-devel] The Why's of PKI

Michael Brown mrb137 at gmail.com
Wed Sep 14 12:08:43 UTC 2011 

On 09/13/2011 08:48 PM, Andrew Wnuk wrote:
> On 09/13/2011 06:41 AM, Adam Young wrote:
>> The Layout of the PKI project is very unusual for a Java Server 
>> application.
>
>> I'm trying to understand the rationale for some of the things that 
>> were done.
>>
>> Why do we create a separate server instance for each subsystem?
>
> Because each subsystem is a standalone server.
>
>> Is a  reason to continue doing so?
>
> It provides great flexibility in deploying Certificate Server
>
>>
>> Is using different ports for CA and DRM (an so forth)  merely an 
>> artifact of using multiple servers, or is there an additional  reason 
>> to do so?
>
> Pkicreate tool allows selecting any ports.  Pkicreate also suggests 
> ports for out of the box ease of use.
>
>>
>> Do we expect the same user to have and user different certificates 
>> for different servers,
>
> This is a matter of deployment strategy.
>
>> such that the certificate then becomes a union of authentication and 
>> authorization?
>
> Certificates are the source of identity.  Authorization is a separate 
> process based on verified identity.
>
>>
>> Is there a  reason to separate the CA and DRM Directory servers?
>
> Protection of archived keys.
>
>>   Is it a "best practice" to do so?  What would be the implications 
>> of using a single instance for both?
>>
>> Is there any reason why the CA uses an LDAP server instead of a 
>> Relational Database?
>
> X509 certificates are using the same distinguished names as LDAP.
> Many identity products are based on directories.
> Provides very secure access options.
> Provides robust replication over secure channel.
>
>>   Do we expect people to make queries dircetyl against the  CA  DirSrv,
>
> No


These discussion points are ones I often have with customers I support, 
so I echo Chandra that it's refreshing to see.  In regards to whether we 
expect people to make queries I think Andrew is correct, but a large US 
Government customer regularly queries the CA internal slapd servers that 
they manage and operate.  The reasons for this have to do with legacy 
publishing issues that Red Hat has worked hard to resolve in the current 
rev of the product.  In earlier revs of the product the customer found 
that they could not rely upon the publishing functionality to reliably 
publish both the large number of certificates they issued and the large 
size CRLs they generated for use by the user base, so they developed an 
out of band methodology to pull certificates and CRLs from the CA 
internal slapd servers using the servlets built into the product, and 
populate another set of Directory Servers with the certs and CRLs.  This 
methodology had worked well for them for several years and helped to a 
large extent to resolve the distribution of the very large CRLs.  Not to 
say there aren't remaining challenges, but it's to the point that they 
aren't complaining as loudly as previous.


>
>> or is the Database best hidden from public view?
>>
>> Why do we split the build process up into multiple Source RPMS?
>
>>   Is there a reason to maintain this split?
>>
>> Are there design documents or discussions for these decisions?
>
> Yes, please look for "Legacy Certificate Management System Website" on 
> the internal CS wiki.
>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list