Hi team, Lightweight CA key replication is taking shape. I have updated the design page with juicy details:
http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs#Key_replication Could interested parties and Simo please eyeball it. Simo, I particularly want your feedback on feasibility / implications of creating a Kerberos principal for each CA replica which will be authorised as a Custodia client to retrieve sub-CA signing keys. Alternatively, instead of adding another principal could we use the existing HTTP/<hostname>@<realm> principal as the Custodia client? I entertained implementing TLS certificate authentication for Custodia so that we could authenticate using e.g. CA subsystem cert but felt that GSS-API would be a smoother path, becaues we already have Python client code for IPA. The implementation is in-progress; most of the core Java bits are done, but not yet the IPA-specific KeyRetriever implementation nor the Python helper program. Cheers, Fraser P.S. I made a number of other updates to the design page - mostly updates to bring it in line with what's already been implemented. _______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel