We have come to the realisation that this has to be done sooner rather than later. So i'm putting out a call for help and for feedback.
We need to revamp the CA infrastructure used in Fedora.
This is where Id like to see us go.
Publish a Certificate Revocation list so that all apps can check for revoked certs
Have users able to revoke their own cert Have user certs be revoked when they request a new cert Have admins able to create/revoke certs
Their are 2 types of certificates currently handled by 2 CA's I really want to use a single CA for all:
Type 1) user certs. used for plague/koji/cvs upload access. there is work underway to use these for other fedora web based apps also.
Type 2) Builders, kojira, internal service authentication.
Products to be evaluated:
http://pki.fedoraproject.org/wiki/PKI_Main_Page https://www.openca.org/ http://ejbca.sourceforge.net/ Something custom
FAS will need modification to work with the new framework. I also want to allow fedora-packager-setup to grab the cert directly rather than having the user manually do it. probably with a flag for when to get a new cert.
All users will need to get new user certs when we make the change. as well as koji hub, all builders, koji garbage collection, bodhi, It would also be a good time to deploy ssl auth for other apps.
We have a ticket https://fedorahosted.org/fedora-infrastructure/ticket/466
Please make suggestions for other apps we could use, also ideas for making the workflow better.
So this is a brief overview of whats needed. Im going to open the floor for a week for open discussion on how we should best do this.
Dennis
On Tue, 2008-03-25 at 18:04 -0500, Dennis Gilmore wrote:
So this is a brief overview of whats needed. Im going to open the floor for a week for open discussion on how we should best do this.
I don't have the details[1], but we should ensure if we're fixing our certificate infrastructure that we do it in such a way that the serials on our certs are reasonable and that they can be used for things like signing mail.
Jeremy
[1] It was reported before and I can dig them up or go do some poking, but almost dinnertime now ;-)
On Tue, 2008-03-25 at 19:26 -0400, Jeremy Katz wrote:
On Tue, 2008-03-25 at 18:04 -0500, Dennis Gilmore wrote:
So this is a brief overview of whats needed. Im going to open the floor for a week for open discussion on how we should best do this.
I don't have the details[1], but we should ensure if we're fixing our certificate infrastructure that we do it in such a way that the serials on our certs are reasonable and that they can be used for things like signing mail.
Have we just setup an instance of the certificate server code rh just released?
Alternatively (and I probably wouldn't recommend this for user certs) we could use/hack on certmaster to be able to handle these requests.
it's definitely returning certs w/proper serials, etc.
-sv
On Tuesday 25 March 2008, seth vidal wrote:
On Tue, 2008-03-25 at 19:26 -0400, Jeremy Katz wrote:
On Tue, 2008-03-25 at 18:04 -0500, Dennis Gilmore wrote:
So this is a brief overview of whats needed. Im going to open the floor for a week for open discussion on how we should best do this.
I don't have the details[1], but we should ensure if we're fixing our certificate infrastructure that we do it in such a way that the serials on our certs are reasonable and that they can be used for things like signing mail.
We have to have proper serials to be able to revoke certificates so yes that is part of it.
Have we just setup an instance of the certificate server code rh just released?
Alternatively (and I probably wouldn't recommend this for user certs) we could use/hack on certmaster to be able to handle these requests.
it's definitely returning certs w/proper serials, etc.
We have not set anything up yet but dogtag-pki is at pki.fedoraproject.org is the code that RH just released. its something that we should evaluate.
Dennis
On 2008-03-25 06:04:16 PM, Dennis Gilmore wrote:
Products to be evaluated:
http://pki.fedoraproject.org/wiki/PKI_Main_Page https://www.openca.org/ http://ejbca.sourceforge.net/ Something custom
We took a quick look at some of these in IRC, and I'd personally prefer something that doesn't use LDAP for storage (since we didn't end up going with LDAP for FAS, and it seems like overkill for just the CA).
I haven't looked too deeply yet, but I'm currently leaning towards something custom. Would certmaster possibly be a good project to work on for providing this kind of functionality?
FAS will need modification to work with the new framework. I also want to allow fedora-packager-setup to grab the cert directly rather than having the user manually do it. probably with a flag for when to get a new cert.
Would you want to request this directly from the CA, or would that not be exposed (and it would all communicate through FAS?) If you want to go through FAS, I have something that should work starting from the next releases of python-fedora and FAS (and it'd just stay the same once we've modified FAS to talk to an external CA).
Thanks, Ricky
On Tue, 2008-03-25 at 19:37 -0400, Ricky Zhou wrote:
On 2008-03-25 06:04:16 PM, Dennis Gilmore wrote:
Products to be evaluated:
http://pki.fedoraproject.org/wiki/PKI_Main_Page https://www.openca.org/ http://ejbca.sourceforge.net/ Something custom
We took a quick look at some of these in IRC, and I'd personally prefer something that doesn't use LDAP for storage (since we didn't end up going with LDAP for FAS, and it seems like overkill for just the CA).
Even not using LDAP for all of FAS, there's still a lot of things we could export from the db -> ldap to be more easily used and accessible. So I wouldn't discount LDAP just because it's not the backing store of FAS.
I haven't looked too deeply yet, but I'm currently leaning towards something custom. Would certmaster possibly be a good project to work on for providing this kind of functionality?
Also, going off and building our own thing feels like it's going to be a long-term detriment. Some of the bits for proper CRLs and the like are not trivial and very important to get "right"
Jeremy
On Tue, Mar 25, 2008 at 10:16 PM, Jeremy Katz katzj@redhat.com wrote:
Also, going off and building our own thing feels like it's going to be a long-term detriment. Some of the bits for proper CRLs and the like are not trivial and very important to get "right"
Not that this matters for anything but coming from the guy who's sitting in the peanut gallery :), I *really* think that we should look long and hard at Dogtag. Perhaps it comes from where I work, but I'm a big proponent of eating our own dog food (or wearing our own dog tag, as it were :) ), They've already done the hard work. If it's not good enough for what we need it to do, what's to make us think that it'll be deployed *at all*? We should really attempt to repair any shortcomings that Dogtag has to make it usable.
$0.000001 -Jon
On Tue, Mar 25, 2008 at 8:29 PM, Jon Stanley jonstanley@gmail.com wrote:
On Tue, Mar 25, 2008 at 10:16 PM, Jeremy Katz katzj@redhat.com wrote:
Also, going off and building our own thing feels like it's going to be a long-term detriment. Some of the bits for proper CRLs and the like are not trivial and very important to get "right"
Not that this matters for anything but coming from the guy who's sitting in the peanut gallery :), I *really* think that we should look long and hard at Dogtag. Perhaps it comes from where I work, but I'm a big proponent of eating our own dog food (or wearing our own dog tag, as it were :) ), They've already done the hard work. If it's not good enough for what we need it to do, what's to make us think that it'll be deployed *at all*? We should really attempt to repair any shortcomings that Dogtag has to make it usable.
$0.000001
I will add a US Dollar, a Brazillian and Canadian Dollar too.. and maybe a Zimbabwe dollar also.
On Tue, 2008-03-25 at 18:04 -0500, Dennis Gilmore wrote:
Products to be evaluated:
http://pki.fedoraproject.org/wiki/PKI_Main_Page https://www.openca.org/ http://ejbca.sourceforge.net/ Something custom
So this is a brief overview of whats needed. Im going to open the floor for a week for open discussion on how we should best do this.
Dennis
My vote is for EJBCA. It's very easy to use, and has fairly low administrative requirements. It's very easy to delegate capabilities.
It's main dependencies are JBoss and Java, and uses OJDBC to connect to any SQL database. It's also capable of interacting with LDAP, if need be.
It has built-in support for the usual alphabet soup of PKI services such as OCSP, SCEP, CMP, and auto-generates CRLs.
If this is the route we go, I'm also happy to help set up an EJBCA instance.
I also have experience with OpenCA and want to explicitly vote _against_ it. It's a pain to set up and use, and development as basically stagnated. (last release was 0.9.3-rc1 on Oct 2006, with RPMs for FC4)
---Brett.
Many hands make light work. -- John Heywood
On Tuesday 25 March 2008, Dennis Gilmore wrote:
We have come to the realisation that this has to be done sooner rather than later. So i'm putting out a call for help and for feedback.
We need to revamp the CA infrastructure used in Fedora.
This is where Id like to see us go.
Publish a Certificate Revocation list so that all apps can check for revoked certs
Have users able to revoke their own cert Have user certs be revoked when they request a new cert Have admins able to create/revoke certs
Their are 2 types of certificates currently handled by 2 CA's I really want to use a single CA for all:
Type 1) user certs. used for plague/koji/cvs upload access. there is work underway to use these for other fedora web based apps also.
Type 2) Builders, kojira, internal service authentication.
Products to be evaluated:
http://pki.fedoraproject.org/wiki/PKI_Main_Page https://www.openca.org/ http://ejbca.sourceforge.net/ Something custom
FAS will need modification to work with the new framework. I also want to allow fedora-packager-setup to grab the cert directly rather than having the user manually do it. probably with a flag for when to get a new cert.
All users will need to get new user certs when we make the change. as well as koji hub, all builders, koji garbage collection, bodhi, It would also be a good time to deploy ssl auth for other apps.
We have a ticket https://fedorahosted.org/fedora-infrastructure/ticket/466
Please make suggestions for other apps we could use, also ideas for making the workflow better.
So this is a brief overview of whats needed. Im going to open the floor for a week for open discussion on how we should best do this.
Dennis
To follow up on this. Im going to be looking at dogtag first. Ive had a promise from them to help us when we have issues.
OpenCA seems to have stalled development wise.
ejbca has a very heavy footprint.
something Custom i think is too big of a task.
So people wanting to help with setting up, implementing and testing please raise your hands now.
Dennis
On Thu, 2008-04-10 at 15:17 -0500, Dennis Gilmore wrote:
To follow up on this. Im going to be looking at dogtag first. Ive had a promise from them to help us when we have issues.
OpenCA seems to have stalled development wise.
ejbca has a very heavy footprint.
something Custom i think is too big of a task.
So people wanting to help with setting up, implementing and testing please raise your hands now.
Dennis
If Dogtag doesn't pan out, I'm willing to help with ejbca. I'm already familiar with it.
---Brett.
Are you tired of being a crash test dummy for Microsoft? Discover Linux.
-- Gareth Barnard
On Thu, 2008-04-10 at 15:17 -0500, Dennis Gilmore wrote:
On Tuesday 25 March 2008, Dennis Gilmore wrote:
We have come to the realisation that this has to be done sooner rather than later. So i'm putting out a call for help and for feedback.
We need to revamp the CA infrastructure used in Fedora.
This is where Id like to see us go.
Publish a Certificate Revocation list so that all apps can check for revoked certs
Have users able to revoke their own cert Have user certs be revoked when they request a new cert Have admins able to create/revoke certs
Their are 2 types of certificates currently handled by 2 CA's I really want to use a single CA for all:
Type 1) user certs. used for plague/koji/cvs upload access. there is work underway to use these for other fedora web based apps also.
Type 2) Builders, kojira, internal service authentication.
Products to be evaluated:
http://pki.fedoraproject.org/wiki/PKI_Main_Page https://www.openca.org/ http://ejbca.sourceforge.net/ Something custom
FAS will need modification to work with the new framework. I also want to allow fedora-packager-setup to grab the cert directly rather than having the user manually do it. probably with a flag for when to get a new cert.
All users will need to get new user certs when we make the change. as well as koji hub, all builders, koji garbage collection, bodhi, It would also be a good time to deploy ssl auth for other apps.
We have a ticket https://fedorahosted.org/fedora-infrastructure/ticket/466
Please make suggestions for other apps we could use, also ideas for making the workflow better.
So this is a brief overview of whats needed. Im going to open the floor for a week for open discussion on how we should best do this.
Dennis
To follow up on this. Im going to be looking at dogtag first. Ive had a promise from them to help us when we have issues.
OpenCA seems to have stalled development wise.
ejbca has a very heavy footprint.
something Custom i think is too big of a task.
So people wanting to help with setting up, implementing and testing please raise your hands now.
Dennis
I would be willing to help.
-Jason
On 2008-04-10 03:17:23 PM, Dennis Gilmore wrote:
To follow up on this. Im going to be looking at dogtag first. Ive had a promise from them to help us when we have issues.
OpenCA seems to have stalled development wise.
ejbca has a very heavy footprint.
something Custom i think is too big of a task.
So people wanting to help with setting up, implementing and testing please raise your hands now.
Whichever we end up going with, I'd love to help out too (testing, FAS2/webapp integration, etc.).
Thanks, Ricky
infrastructure@lists.fedoraproject.org
-
brett lentz -
Dennis Gilmore -
Jason -
Jeremy Katz -
Jon Stanley -
Ricky Zhou -
Seth Vidal -
Stephen John Smoogen