Fedora CA Project
Dennis Gilmore
dennis at ausil.us
Thu Apr 10 20:17:23 UTC 2008
On Tuesday 25 March 2008, Dennis Gilmore wrote:
> We have come to the realisation that this has to be done sooner rather than
> later. So i'm putting out a call for help and for feedback.
>
> We need to revamp the CA infrastructure used in Fedora.
>
> This is where Id like to see us go.
>
> Publish a Certificate Revocation list so that all apps can check for
> revoked certs
>
> Have users able to revoke their own cert
> Have user certs be revoked when they request a new cert
> Have admins able to create/revoke certs
>
> Their are 2 types of certificates currently handled by 2 CA's I really
> want to use a single CA for all:
>
> Type 1) user certs. used for plague/koji/cvs upload access. there is
> work underway to use these for other fedora web based apps also.
>
> Type 2) Builders, kojira, internal service authentication.
>
>
> Products to be evaluated:
>
> http://pki.fedoraproject.org/wiki/PKI_Main_Page
> https://www.openca.org/
> http://ejbca.sourceforge.net/
> Something custom
>
> FAS will need modification to work with the new framework. I also want to
> allow fedora-packager-setup to grab the cert directly rather than having
> the user manually do it. probably with a flag for when to get a new cert.
>
> All users will need to get new user certs when we make the change. as well
> as koji hub, all builders, koji garbage collection, bodhi, It would also be
> a good time to deploy ssl auth for other apps.
>
> We have a ticket https://fedorahosted.org/fedora-infrastructure/ticket/466
>
> Please make suggestions for other apps we could use, also ideas for making
> the workflow better.
>
> So this is a brief overview of whats needed. Im going to open the floor
> for a week for open discussion on how we should best do this.
>
> Dennis
To follow up on this. Im going to be looking at dogtag first. Ive had a
promise from them to help us when we have issues.
OpenCA seems to have stalled development wise.
ejbca has a very heavy footprint.
something Custom i think is too big of a task.
So people wanting to help with setting up, implementing and testing please
raise your hands now.
Dennis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20080410/e85e2050/attachment.bin
More information about the infrastructure
mailing list