Hi Fraser,

I have some rather inane comments. I guess Jan cholasta will do a more thorough review of your design. See below:

On 01/06/2017 09:08 AM, Fraser Tweedale wrote:
Hi comrades,

I have written up the high-level details of the FreeIPA->Dogtag
GSS-API authentication design.  The goal is improve security by
removing an egregious privilege separation violation: the RA Agent
cert.

There is a fair bit of work still to do on the Dogtag side but
things are shaping up there and it's time to work out the IPA
aspects.  The design is at:

  http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication

first of all, you link a internal document from publicly available design page. you should prepare a publicly visible version of the Dogtag-side design and link that.

It would also be nice to have a high-level graphical representation of the proposed CSR processing workflow. I think you can re-use the one that is in the Dogtag part, omit the Dogtag internals and add IPA-specific parts.


Right now, I need feedback about the Domain Level aspects: whether
it is the right approach, whether there are mechanisms to perform
update steps (specifically: LDAP updates and/or api calls) alongside
a DL bump, or if there aren't, how to deal with that (implement such
a mechanism, make admins do extra steps, ???).


Is the DL bump really necessary? Are you sure we really can not just update the profile configuration and let older Dogtag installation handle it gracefully? IIRC we have done some profile inclusion work in 4.2 development and on and never really bothered about older Dogtag understanding them.

Anyway I guess we can call `certprofile-import' to load ExternalProcessConstraint-enabled profile upon setting domain level to 2, we just have to know where on the FS it is located.

Of course, any other general or specific feedback is welcome.

Thanks,
Fraser


So if I understand correctly there will be no change in CA ACL management interface and only the code which evaluates them will be factored out into 'ipa-pki-validate-cert-request' command? Also, wouldn't it simpler if the CA ACL evaluation was delegated to a separate API command instead? ExternalProcessConstraint would then only ask IPA JSON api and process the response.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to