On 15.10.2014 16:24, Nikos Mavrogiannopoulos wrote:
  Concerning: https://bugs.freedesktop.org/show_bug.cgi?id=51949#c3
What are your requirements? We currently have working code (but not yet
merged) for an isolated security module via p11-kit. Our requirements
are to protect private keys by keeping them outside a process' boundary.
FreeIPA has the same requirement in this regard + couple more.

The main target is to run softhsm (v2) in an isolated mode. If we can
This was our plan too :-)

combine efforts would be nice.

The original intent was to design LDAP-backed PKCS#11 module which will be used for CA certificate distribution to clients.

E.g. SSSD would download the CA certificates managed by FreeIPA to client and expose them via PKCS#11 to p11-kit. We hope that this would allow almost seamless CA roll-over.
This is in scope of https://fedorahosted.org/freeipa/ticket/4322

Later we found out that DNSSEC support in FreeIPA needs to distribute and share private keys among all FreeIPA DNS servers. It seems that LDAP-backed PKCS#11 backend could be used for the same purpose.
The idea how it can be done in secure way is described on:

We did not get to coding it yet but the very rough idea was to wrap local SoftHSM instance and use SSSD to do two-way synchronization between local HSM and LDAP-backend.

It certainly could be extended to handle user credentials too (SSH private keys or passwords in GNOME keyring?).

Jan Cholasta (CCed) can add more details, he is the main architect of this solution :-)

Petr^2 Spacek

Freeipa-devel mailing list

Reply via email to