On 4.3.2014 23:18, Dmitri Pal wrote:
We need PKCS#11 for CA certificates, BIND and OpenDNSSEC anyway so we need
to design schema for *public* data. All private data can be stored in Vault
if we agree on that.

Do we need it on the server and if so can it be exposed by the vault rather
than via LDAP?
We need standard PKCS#11 interface because applications like BIND and OpenDNSSEC do not care about IPA-specifics. However applications see only PKCS#11 interface and nothing else, there could be LDAP or some other protocol behind the API.

Honza's plan is to integrate PKCS#11 module to SSSD somehow so it will be available on all client machines, it will use caching facilities, fail-over etc.

Replying to the other thread to join both threads to one:
Also about PKCS#11 interface. I am all for PKCS#11 interface for client
exposed from SSSD that uses whatever means to fetch the central keys it being
SSH keys, gnome keyring keys or something else.
AFAIK that is exactly the plan.

I do not see a reason for IPA
to expose a remote PKCS#11 interface. If we need a remote PKCS#11 interface
(please insert why here) then it should be a part of the vault API rather than
anything else.
I'm not sure that I understand...

PKCS#11 is just a set of functions, for an application it is a library.

An application just calls the PKCS#11 API and knows nothing about implementation details so there is nothing like 'remote PKCS#11'. As I said above, SSSD will be behind scenes. Everything is local except the data storage in LDAP or vault, it doesn't matter.

Maybe I misunderstood you, sorry.

Petr^2 Spacek

Freeipa-devel mailing list

Reply via email to