On 14.2.2014 12:27, Jan Cholasta wrote:
On 14.2.2014 12:08, Petr Spacek wrote:
On 14.2.2014 11:03, Jan Cholasta wrote:
On 13.2.2014 18:36, Petr Spacek wrote:
Hello list,

I would like to point you to design pages for DNSSEC feature:

Zone signing:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Automatic key rotation:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm





https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Longterm





You can ignore bind-dyndb-ldap specifics and think about interactions
with FreeIPA and SSSD.

- We need to design LDAP schema for key storage (Ludwig is looking into
it).

Keep in mind the schema has to work with or be extensible enough for
other
uses as well, ATM at least IPA CA certificate storage.

Feel free to extend the design page as necessary. May be that we should
create separate design page specifically for this PKCS#11 module.

+1

Will you create the design page? I have enjoyed it with DNSSEC and now I would like to spend some time with coding ... :-)

http://www.freeipa.org/page/Feature_template

In fact, it is not related to DNSSEC at all. We just need to add some
DNSSEC-specific meta data to keys, nothing else.

My point exactly.


IMO the easiest (from the PKCS#11 module writing perspective) way to
do it
would be to map PKCS#11 object classes and attributes directly to LDAP
object
classes and attributes, but that might be too much low-level for us.

- We need to write PKCS#11 module on top of LDAP database.

SSSD.

- We need to design key rotation on client side (SSSD? Certmonger?).

Also SSSD.

I thought we already agreed on that last week?

Last idea I have heard was about certmonger - Dmitri thought that
Certmonger already have all the necessary logic.

It does not, for starters there is no LDAP or caching. If anything, it might
be a combination of both, but I think that's more relevant to CA certificate
rotation than DNSSEC.


In any case, nothing is set in stone. We have to discuss pros and cons
and then decide.

Obviously :-)


Keep in mind that we have to support key rotation even if the key was
compromised ... (Fallback from RFC 5011 to Kerberos+LDAP or something
like that.)

I don't see how this gives advantage to either SSSD or certmonger.

Sure, I'm just pointing it out so we are all aware of this problem.

- We need to design WebUI/CLI
etc.

Read sections 'External Impact' carefully :-)

Have a nice day!

--
Petr^2 Spacek

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to