[Pki-devel] Dogtag sub-CA design proposal; work-in-progress
Fraser Tweedale
ftweedal at redhat.com
Fri Jun 20 08:12:40 UTC 2014
On Wed, Jun 18, 2014 at 04:32:11PM -0400, Dmitri Pal wrote:
> On 06/18/2014 03:15 PM, Ade Lee wrote:
> >Added my comments to the etherpad.
>
I've fleshed out and formatted the design proposal (though it is
still far from complete) and put it up on the wiki:
http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs
And also the LDAP Profile Storage design proposal, which is in a
similar state of incompleteness. I hope to nail down the LDAP
schema, finalise the design and begin implementing next week:
http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage
On the bright side, I think that there are no dependencies between
these design proposals. In FreeIPA there might or might not be a
conceptual association between the two, but that could exist only on
the FreeIPA side, and shouldn't affect the implementation of these
changes.
On the Solution 1 vs Solution 2 debate, from a cleanliness of
implementation view, I think Solution 1 is better, however the fact
that the creation of a new sub-CA must be effected on all replicas
lends much weight to Solution 2.
Anyhow, have a nice weekend and I look forward to continuing the
design process next week.
Cheers,
Fraser
> I added couple comments but have to go so I will resume on Monday. Sorry.
> >Ade
> >
> >On Tue, 2014-06-17 at 14:19 -0400, Dmitri Pal wrote:
> >>On 06/17/2014 08:11 AM, Ade Lee wrote:
> >>>I can't access this etherpad. It says it needs an account/password.
> >>>How do I get an account?
> >>>
> >>>My guess also will be that others in the dogtag group will have trouble
> >>>getting to this account too. I would suggest putting this on a more
> >>>accessible etherpad - like http://etherpad.corp.redhat.com perhaps or
> >>>even a public etherpad.
> >>I changed access. Ade you should be able to see it now.
> >>I also added my comments.
> >>
> >>Fraser it is OK to create a design page on the IPA or Dogtag wiki and
> >>discuss this on the public list.
> >>
> >>>Ade
> >>>
> >>>On Tue, 2014-06-17 at 17:14 +1000, Fraser Tweedale wrote:
> >>>>Hi Ade,
> >>>>
> >>>>Have been working on the design document and comprehending the
> >>>>subsystem/SigningUnit implementation today. The document so far is
> >>>>at http://idm.etherpad.corp.redhat.com/dogtag-sub-ca-design. Please
> >>>>pass along to / copy in anyone else whose feedback would be valuable
> >>>>at this stage of design.
> >>>>
> >>>>Dmitri, could you please provide input on the whether no-restart of
> >>>>Dogtag is a requirement w.r.t. FreeIPA's use of Dogtag sub-CAs?
> >>>>Insights regarding the impact of replication on the proposed design
> >>>>approach would also be appreciated.
> >>>>
> >>>>Cheers,
> >>>>
> >>>>Fraser
> >>
> >
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
More information about the Pki-devel
mailing list