Hi team,
Lightweight CA key replication is taking shape. I have updated the
design page with juicy details:
http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs#Key_replication
Could interested parties and Simo please eyeball it. Simo, I
particularly want your feedback on feasibility / implications of
creating a Kerberos principal for each CA replica which will be
authorised as a Custodia client to retrieve sub-CA signing keys.
Alternatively, instead of adding another principal could we use the
existing HTTP/<hostname>@<realm> principal as the Custodia client?
I entertained implementing TLS certificate authentication for
Custodia so that we could authenticate using e.g. CA subsystem cert
but felt that GSS-API would be a smoother path, becaues we already
have Python client code for IPA.
The implementation is in-progress; most of the core Java bits are
done, but not yet the IPA-specific KeyRetriever implementation nor
the Python helper program.
Cheers,
Fraser
P.S. I made a number of other updates to the design page - mostly
updates to bring it in line with what's already been implemented.
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
