On Tue, Oct 07, 2014 at 01:47:05PM +0200, Martin Kosek wrote: > On 10/07/2014 05:31 AM, Fraser Tweedale wrote: > > Hi all, > > > > The Dogtag lightweight sub-CAs design has undergone major revision > > and expansion ahead of beginning the implementation (I plan to begin > > later this week). This feature will provide an API for admins to > > create sub-CAs for separate security domains and augment the > > existing API so that certificates requests can be directed to a > > particular sub-CA. > > > > This feature will be used in FreeIPA for issuing user or service > > certificates for particular purposes (that will be rejected when use > > for other purposes). > > > > Please review the document and provide feedback. > > > > http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs > > > > Feedback/suggestions for the REST API (that FreeIPA will use) and > > ACI considerations (e.g. is it appropriate to use the existing > > "agent" credential or should a separate credential or more > > fine-grained ACIs be used) are particularly encouraged. > > > > Cheers, > > > > Fraser > > Thanks for sharing the design! Couple initial comments: > > > Creating sub-CAs > > > > Creation of sub-CAs at any time after the initial spawning of an CA instance > > is a requirement. Preferably, restart would not be needed, however, if > > needed, > > it must be able to be performed without manual intervention. > > I am all for having the operation in effect without requiring restart, > especially given the change is in replicated tree. What do you mean by > "restart > without manual operation"? That Dogtag would restart itself when it detects > that subCA would be added? > This is an artifact of earlier discussions. The requirement was that if a restart was required to complete the addition of a sub-CA, it could be triggered automatically. But I think it is now clear that it should be possible to do it without a restart.
> > Key generation and storage > > Are we referring to > http://www.freeipa.org/page/V4/PKCS11_in_LDAP > http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema > ? Contact people: Jan Cholasta, Petr Spacek > (Probably clear from the subsequent discussion, but for the sake of a direct answer...) No, not specifically referring to the above. The requirement is to generate sub-CA signing keys and propagate them to clones, securely; this is for a Dogtag CA subsystem feature, so it should be possible to do it without a KRA subsystem, SSSD, etc. > > > ACI considerations > > Agent credential is used by FreeIPA web interface, all authorization is then > done on python framework level. We can add more agents and then switch the > used > certificate, but I wonder how to use it in authorization decisions. Apache > service will need to to have access to all these agents anyway. > > First we need to think how fine grained authorization we want to do. I think > we > will want to be able to for example say that user Foo can generate > certificates > in specified subCA. I am not sure it is a good way to go, it would also make > such private key distribution on IPA replicas + renewal a challenge. > > Right now, we only have "Virtual Operations" concept to authorize different > operations with Dogtag CA, but it does not distinguish between different CAs. > We could add a new Virtual Operation for every subCA, but it looks clumsy. But > the ACI-based mechanism and our permission system would still be the easiest > way to go, IMHO, compared to utilizing PKI agents. > > Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
