Hi team,

I updated the Sub-CAs design page with more detail for the key
replication[1].  This part of the design is nearly complete (a large
patchset is in review over at pki-devel@) but there are various
options about how to authenticate to Custodia.

[1] http://www.freeipa.org/page/V4/Sub-CAs#Key_replication

In brief, the options are:

1) authenticate as host principal; install binary setuid
   root:pkiuser to read host keytab and custodia keys.

2) authenticate as host principal; copy host keytab and custodia
   keys to location readable by pkiuser.

3) create new principal for pkiuser to use, along with custodia keys
   and keytab in location readable by pkiuser.

I prefer option (1) for reasons outlined in the design page.  The
design page goes into quite a bit more detail so please review the
section linked above and get back to me with your thoughts.


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to