Keystone needs signing certificates for Signing PKI tokens.

In addition, CERN has a developed an approach that allows user to authenticate to Keystone via X509 for batch jobs. This requires Client Certs.

Both of these use cases are easily supported by Dogtag, but not exposed via FreeIPA yet.

The easiest path forward is to open up direct access to the Dogtag REST APIs.

In this case, the work flow would be:

User sends CSR to Dogtag
Agent approves
User fetches signed certificate
User uploads to IPA

The questions I have relate to Dogtag/IPA integration:

All actions to Dogtag shuld be via mod_nss secured with Kerberos.
Does this tie in with Dogtag, or would Dogtag require Client Side Certificate validation? Even with Kerberos authentication, there is still no cross reference between the Kerberos Principal and the CSR Subject. Is this a problem? I thought there was a custom Tomcat Realm for integrating with Kerberos. If so, does this expose the correct data to check the Subject in the CSR? Are there security implications in the user uploading their own certifcates to FreeIPA's LDAP?

Can we re-enable the Dogtag XSRF checking without breaking IPA?

Does it make sense to have an extension to ipa-server-install that specifies a Keystone user that becomes a Dogtag agent, or a comparable commandline tool of the ipa-* family?

If we expose an URL for CSRs, that exposes the potential to request CSRs of any set of attributes. The Agent would need to be careful not to sign in appropriate requests. Is there any support for limiting the types of Requests that would be acceptable?

Freeipa-devel mailing list

Reply via email to