On 10/07/2014 05:31 AM, Fraser Tweedale wrote: > Hi all, > > The Dogtag lightweight sub-CAs design has undergone major revision > and expansion ahead of beginning the implementation (I plan to begin > later this week). This feature will provide an API for admins to > create sub-CAs for separate security domains and augment the > existing API so that certificates requests can be directed to a > particular sub-CA. > > This feature will be used in FreeIPA for issuing user or service > certificates for particular purposes (that will be rejected when use > for other purposes). > > Please review the document and provide feedback. > > http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs > > Feedback/suggestions for the REST API (that FreeIPA will use) and > ACI considerations (e.g. is it appropriate to use the existing > "agent" credential or should a separate credential or more > fine-grained ACIs be used) are particularly encouraged. > > Cheers, > > Fraser
Thanks for sharing the design! Couple initial comments: > Creating sub-CAs > > Creation of sub-CAs at any time after the initial spawning of an CA instance > is a requirement. Preferably, restart would not be needed, however, if needed, > it must be able to be performed without manual intervention. I am all for having the operation in effect without requiring restart, especially given the change is in replicated tree. What do you mean by "restart without manual operation"? That Dogtag would restart itself when it detects that subCA would be added? > Key generation and storage Are we referring to http://www.freeipa.org/page/V4/PKCS11_in_LDAP http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema ? Contact people: Jan Cholasta, Petr Spacek > ACI considerations Agent credential is used by FreeIPA web interface, all authorization is then done on python framework level. We can add more agents and then switch the used certificate, but I wonder how to use it in authorization decisions. Apache service will need to to have access to all these agents anyway. First we need to think how fine grained authorization we want to do. I think we will want to be able to for example say that user Foo can generate certificates in specified subCA. I am not sure it is a good way to go, it would also make such private key distribution on IPA replicas + renewal a challenge. Right now, we only have "Virtual Operations" concept to authorize different operations with Dogtag CA, but it does not distinguish between different CAs. We could add a new Virtual Operation for every subCA, but it looks clumsy. But the ACI-based mechanism and our permission system would still be the easiest way to go, IMHO, compared to utilizing PKI agents. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel