On Thu, Nov 19, 2009 at 18:25, Mike McGrath <mmcgrath@redhat.com> wrote:

On Fri, 20 Nov 2009, Mathieu Bridon (bochecha) wrote:

> Hi,
>
> > 20:25 < dgilmore> mmcgrath: id like to try work on updating koji auth/ and notifications during F-13 life cycle
> > 20:26 < ricky> PKI would be nice too :-)
> > 20:26 -!- |pitr| [n=kvirc@91.150.139.57] has joined #fedora-meeting
> > 20:26 < mmcgrath> #idea updating koji auth and notifications
> > 20:26 < mmcgrath> #idea pki (ricky says he'll do this and it'll be done by january)
> > 20:26 < mmcgrath> :-P
> > 20:26 * ricky runs
> [snip]
> > 20:28 < smooge> pki?
> > 20:28 < smooge> sorry.. will talk off chan
> > 20:28 < mmcgrath> smooge: yeah our pki right now is very... ehh manual
> > 20:28 < mmcgrath> and not fun to manage :)
>
> Not sure that's what you're looking for, but the guys I work with have
> created this neat Python module to handle CAs and certs:
> http://bitbucket.org/faide/pki/
>
> It's free software (MIT or PSF).
>

I think anything helps, we've been looking at dogtag for a while but
nothing has materialized yet. It's good to keep our options open.

I played with koji a while back, and one thought that I had at the time was about getting it to work with certmaster. I would think that based on the description from its product page that it would meet the conceptual requirements:

From https://fedorahosted.org/certmaster/

Certmaster is a set of tools and a library for easily distributing SSL certificates to applications that need them
Certmaster originated in the Func project
Any application can use certmaster for easy exchange of SSL certificates
Certmaster has a a python API and command line tool provided ("certmaster-request") for requesting certificates
A daemon, called "certmaster" is included to hand certificates out
The tool "certmaster-ca" is used to list certs and sign them when requests come in.
autosigning of new certificate requests is also supported but is off by default.
configuration is all done via minimal text files
certmaster has extensive audit logs of certificate operation

When I've looked at certmaster in the past I personally felt it needed a touch more configuration to allow for the actual signing of certificates by multiple applications, but a good frame work is in place, and its works fairly well for func.

One part I know it is definitely lacking is the user certificates.

-greg