On 01.10.2013 21:57, Simo Sorce wrote:
> ----- Original Message -----
>> On 13.9.2013 11:05, Jan Cholasta wrote:
>>> On 13.9.2013 10:53, Martin Kosek wrote:
>>>> On 09/13/2013 10:51 AM, Jan Cholasta wrote:
>>>>> On 5.9.2013 10:28, Jan Cholasta wrote:
>>>>>> On 3.9.2013 18:16, Dmitri Pal wrote:
>>>>>>> On 09/02/2013 04:49 AM, Petr Spacek wrote:
>>>>>>>> It reminds me problems with key-rotation for DNSSEC.
>>>>>>>> Could we find common problems and use the same/similar
>>>>>>>> solution for both problems?
>>>>>>>> An extension for certmonger? Oddjob? Or a completely
>>>>>>>> new daemon?
>>>>>>> Certmonger already has a way to: 1) Check things
>>>>>>> periodically 2) Hand certs in different places 3) Run
>>>>>>> post op scripts
>>>>>>> IMO it is a good candidate but I would leave it to Nalin
>>>>>>> to chime in.
>>>>>> I would expect more things that require periodic checking
>>>>>> on clients beyond certificates to come in the future, so
>>>>>> I'm not sure if doing this in certmonger is the right thing
>>>>>> to do. Also, SSSD already does a similar thing for realm
>>>>>> domains, right?
>>>> Are you suggesting extending SSSD to handle that?
>>> Yes.
>>>>>> Honza
>>>>> So, does anyone have any strong opinions on this?
>>>> Not at this point. BTW, is there any reason why we cannot go
>>>> the simple way and just utilize cron and a script? Previously
>>>> we just dropped conf to /etc/cron.d for ipa-compliance script
>>>> and it worked quite well.
>>> Hmm, that's so simple it might just work. At least until there is
>>> a better way.
>> I have been thinking about this for some time now and came up with
>> this solution:
>> Write a library implementing the PKCS#11 API (Cryptoki), which
>> would provide the shared CA certificates and associated
>> information (nicknames, trust flags). The library would get the
>> certificates from SSSD, which in turn would get them from IPA (and
>> do the usual stuff like caching).
>> This library could then be used by IPA NSS databases as a source
>> of trust information for IPA services (see modutil). It could also
>> be used by p11-glue to provide the trust information to the rest of
>> the system.
>> Pros: * Automatic support for getting trust information stored in
>> IPA in all the applications that understand PKCS#11. * Certificates
>> are fetched from IPA on-demand, not periodically like in the
>> previous solutions.
>> Cons: * Complexity of implementation? (I don't know about this one,
>> I briefly looked at the source code of the p11-kit PKCS#11 module
>> and it looked manageable to me.)
>> Does this sound reasonable?
> Sounds reasonable to me, however I assume you will do some caching,
> both to avoid lenghty waits and to handle offline cases, so I'd like
> to know more how/when you are going to use the caches vs fetching the
> cert chains from the server.

I sorta imagined it would use the sssd cache, and pull the data via
sssd. Is that what you guys thought?


Freeipa-devel mailing list

Reply via email to