On Tue, May 26, 2015 at 07:49:10AM +0200, Martin Kosek wrote:
> On 05/25/2015 04:40 PM, Jan Cholasta wrote:
> >Dne 25.5.2015 v 16:26 Fraser Tweedale napsal(a):
> >>On Mon, May 25, 2015 at 03:56:46PM +0200, Martin Kosek wrote:
> >>>On 05/25/2015 03:13 PM, Jan Cholasta wrote:
> >>>>Hi,
> >>>>
> >>>>Dne 25.5.2015 v 14:55 Martin Babinsky napsal(a):
> >>>>>Hello all, long post ahead!
> >>>>>
> >>>>>I became a proud owner of https://fedorahosted.org/freeipa/ticket/4238,
> >>>>>and while Martin's design page
> >>>>>(http://www.freeipa.org/page/V4/User_Certificates) brings a
> >>>>>comprehensive overview of what should be done, there are still some gray
> >>>>>areas we should address both in the design page and the actual
> >>>>>implementation.
> >>>>>
> >>>>>These are the things that were agreed upon in previous thread(s):
> >>>>>
> >>>>>1.) If the whole user certificates are available, the should be stored
> >>>>>directly in the user entry as an attribute of the following format:
> >>>>>
> >>>>>      "userCertificate;binary;$id",
> >>>>>
> >>>>>where "id" should be an unique identifier. IIRC we agreed that the
> >>>>>first/last 4 bytes of cert's SHA512 hash should fill the 'id' role
> >>>>>nicely. During user authentication the whole binary blob would be
> >>>>>matched (pspacek pointed out that the cost of this operation is
> >>>>>acceptable).
> >>>>>
> >>>>>2.) In addition, or when the user certs are stored externally, we should
> >>>>>store the certificate metadata in the user entry. These metadata should
> >>>>>be represented by "userCertAttrs;$id;$attr" attributes, where $attr
> >>>>>subtype corresponds to the type of metadata (issuer, serial no., profile
> >>>>>id, certificate hash etc.). The authentication/lookup would require some
> >>>>>custom matching rule to fetch the correct cert.
> >>>>>
> >>>>>Point 1. seems clear to me, we need to implement an index for
> >>>>>userCertificate attribute in DS and modify 'user-add/mod' commands to
> >>>>>allow for direct enrollment through API ("--usercertificate" option).
> >>>>>
> >>>>>Point 2. requires more work: we need to add a new attribute
> >>>>>"userCertAttrs" to the schema and create DS index/custom matching rule
> >>>>>for searching. I'm also not quite sure how to approach the task of
> >>>>>getting these metadata from external storage and putting them to the
> >>>>>user entry.
> >>>>
> >>>>Both points are obsolete. See the design page you linked for the current 
> >>>>plan.
> >>>
> >>>Huh, where that came from Martin? Did you have some cached old version of 
> >>>the
> >>>design page? I am just wondering what went wrong, as this is something I
> >>>deleted from that page month ago.
> >>>
> >>+1 ; we will just store the certificate(s) in the userCertificate
> >>attribute.
> >>
> >>>>
> >>>>>
> >>>>>These are the questions that should be addressed in a broader discussion:
> >>>>>
> >>>>>What is the relation to Fraser's work (cert profiles/sub-CAs)? I have
> >>>>>seen that the recent iteration of Fraser's patches (0010-3 and 0011-3)
> >>>>>add some ACIs and attributes/requests related to user certificates. I
> >>>>>suppose that the only way the user certs are related to cert profile
> >>>>>will be that there will be a profile ID stored either in cert itself, or
> >>>>>as a separate userCertAttr;$id;profileId attribute in user entry.
> >>>>>
> >>For the avoidance of doubt, there well be no way to query which
> >>profile was used to issue a certificate in the near term.  Dogtag
> >>does store this information, but at the moment we are not planning
> >>to use it or expose it in IPA.
> >>
> >>>>>What to do with user certs when the entry is deleted? Should we revoke
> >>>>>them or let them expire?
> >>>>
> >>>>See 
> >>>><https://www.redhat.com/archives/freeipa-devel/2015-May/msg00198.html>.
> >>>>
> >>
> >>There was not really any conclusion to that discussion.  I am in
> >>favour of a ``{user,host,service}-{del,mod} --[no-]revoke[=$REASON]``
> >>argument that says what to do when we delete a certificate, and
> >>allows specifying the revocation reason.
> >
> >I don't think we should add such option, for the same reasons why we did not
> >add the option to override the "store certificate in entry" policy in
> >cert-request.
> >
> >>
> >>I don't have a strong opinion on whether the default should be to
> >>revoke or not revoke, but I do think that the default revocation
> >>reason should be unspecified(0).  superseded(4) is no longer
> >>appropriate.
> >
> >I would rather wait for Dogtag to implement the profile querying interface
> >before doing anything and just not revoke certificates for now.
> Well, whatever we do, it should not be a regression. So, we can change the
> global default (or make it different for upgraded/new installations as with
> some ACIs for PermissionsV2) but we should still have some possibility for a
> user to configure the behavior. FreeIPA should be still able to revoke certs
> stored in user/service/host entry during object-del/object-disable.
> What should we do in this case? Option for "ipa config-*"?
I think a global option is sensible starting point.

We should also consider an option to use revocation reason
"certificateHold" for obj-disable and revive the certificates if the
object is re-enabled via obj-enable.  (I'm not sure whether Dogtag
makes this easy but I am pretty sure it's currently possible; and
it's a bit more work for IPA to do this, of course).

I'm currently removing the revocation behaviour out of
{host,certificate}-{add,mod} as part of the multi-cert support, but
will leave the -del/-disable behaviour largely unchanged for now
(only to make these commands revoke all the certificates, not just
one certificate).


> Martin

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to