DRM is the way to go. However it does not support symmetric keys now.
This is the pert that we need for volume keys. May be it is the vault
to store all sorts of keys. This is something that needs to be
designed and looked at as a broader perspective.
Adam likes to repeat a phase about dreaming big so I do. I want IPA to
be a vault for all sorts of keys and passwords and what else. If DRM
is the answer - great.
I can start listing the use cases that such a key store should satisfy
and we can design something that would altimately fit the build but
build gradually knocking use cases one by one.
I will take an action idem to come with the use cases. Give me couple
weeks as I am under water now...
Specifically: the phrase is "Dream big, implement small."
There are four things here, I'd guess, that should play into the design.
1. User certificates in IPA. Discussed already, and probably the
first thing to implement on the IPA side.
2. DRM/KRA talking to an external CA. Not sure if this makes sense,
has been discussed etc.
3. DRM/KRA Integration into IPA. Regardless of 2, we should talk
through the use cases for integration
4. DRM/KRA Support for symmetric keys etc.
Freeipa-users mailing list