Simo Sorce wrote:
----- Original Message -----
On 13.9.2013 11:05, Jan Cholasta wrote:
On 13.9.2013 10:53, Martin Kosek wrote:
On 09/13/2013 10:51 AM, Jan Cholasta wrote:
On 5.9.2013 10:28, Jan Cholasta wrote:
On 3.9.2013 18:16, Dmitri Pal wrote:
On 09/02/2013 04:49 AM, Petr Spacek wrote:
It reminds me problems with key-rotation for DNSSEC.

Could we find common problems and use the same/similar solution for
both problems?

An extension for certmonger? Oddjob? Or a completely new daemon?

Certmonger already has a way to:
1) Check things periodically
2) Hand certs in different places
3) Run post op scripts

IMO it is a good candidate but I would leave it to Nalin to chime in.


I would expect more things that require periodic checking on clients
beyond certificates to come in the future, so I'm not sure if doing
this
in certmonger is the right thing to do. Also, SSSD already does a
similar thing for realm domains, right?

Are you suggesting extending SSSD to handle that?

Yes.



Honza


So, does anyone have any strong opinions on this?

Not at this point. BTW, is there any reason why we cannot go the
simple way and
just utilize cron and a script? Previously we just dropped conf to
/etc/cron.d
for ipa-compliance script and it worked quite well.

Hmm, that's so simple it might just work. At least until there is a
better way.

I have been thinking about this for some time now and came up with this
solution:

Write a library implementing the PKCS#11 API (Cryptoki), which would
provide the shared CA certificates and associated information
(nicknames, trust flags). The library would get the certificates from
SSSD, which in turn would get them from IPA (and do the usual stuff like
caching).

This library could then be used by IPA NSS databases as a source of
trust information for IPA services (see modutil). It could also be used
by p11-glue to provide the trust information to the rest of the system.

Pros:
    * Automatic support for getting trust information stored in IPA in
all the applications that understand PKCS#11.
    * Certificates are fetched from IPA on-demand, not periodically like
in the previous solutions.

Cons:
    * Complexity of implementation? (I don't know about this one, I
briefly looked at the source code of the p11-kit PKCS#11 module and it
looked manageable to me.)

Does this sound reasonable?


Sounds reasonable to me, however I assume you will do some caching, both to 
avoid lenghty waits and to handle offline cases, so I'd like to know more 
how/when you are going to use the caches vs fetching the cert chains from the 
server.

For on-demand, what are we talking about, fetching the cert when the module is loaded? Or whenever someone wants to use (e.g. validate) the cert?

How often will this cert change, after all?

What would the load be like? Is it fatal if the cert can't be obtained?

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to