On Tue, 07 Oct 2014 16:32:24 +0200 Petr Spacek <pspa...@redhat.com> wrote:
> Naturally this forces applications to use PKCS#11 for all crypto so > the raw key never leaves HSM. Luckily DNSSEC software is built around > PKCS#11 so it was a natural choice for us. > > Personally, I would say that this is the way to go. I think this should be a goal indeed. However I'd be content if the proxy process I described would use SoftHSM to retrieve the secrets to hand them out (or proxy the calls by using them to authenticate) for now. But yes the idea is that we store them encrypted in LDAP and the only thing we do is to add ipa servers public keys to LDAP as a way to distribute access to master keys. The CA stuff is slightly different though. We really have only 2 ways here: 1. keep using certificates and build a proxy service that uses GSSAPI for authenticating received requests, then turn around and fetch a corresponding cert only the proxy has access to and reply the same command to the CA using this cert for auth. 2. Teach dogtag to use GSSAPI for authenticating these requests and then just tell it which principals (or groups of principals) are allowed to perform operations instead of using certs. Of course 2 would be much simpler. Fraser, how hard do you think it would be to add #2 ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel