Fedora CA Project

Jason jmtaylor90 at gmail.com
Thu Apr 10 20:38:18 UTC 2008 

On Thu, 2008-04-10 at 15:17 -0500, Dennis Gilmore wrote:
> On Tuesday 25 March 2008, Dennis Gilmore wrote:
> > We have come to the realisation that this has to be done sooner rather than
> > later.  So i'm putting out a call for help and for feedback.
> >
> > We need to revamp the CA infrastructure used in Fedora.
> >
> > This is where Id like to see us go.
> >
> > Publish a Certificate Revocation list so that all apps can check for
> > revoked certs
> >
> > Have users able to revoke their own cert
> > Have user certs be revoked when they request a new cert
> > Have admins able to create/revoke certs
> >
> > Their are 2 types of certificates currently handled by 2 CA's  I really
> > want to use a single CA for all:
> >
> > Type 1)  user certs.  used for plague/koji/cvs upload access.  there is
> > work underway to use these for other fedora web based apps also.
> >
> > Type 2) Builders, kojira, internal service authentication.
> >
> >
> > Products to be evaluated:
> >
> > http://pki.fedoraproject.org/wiki/PKI_Main_Page
> > https://www.openca.org/
> > http://ejbca.sourceforge.net/
> > Something custom
> >
> > FAS will need modification to work with the new framework.  I also want to
> > allow fedora-packager-setup  to grab the cert directly rather than having
> > the user manually do it.  probably with a flag for when to get a new cert.
> >
> > All users will need to get new user certs when we make the change. as well
> > as koji hub, all builders, koji garbage collection, bodhi, It would also be
> > a good time to deploy ssl auth for other apps.
> >
> > We have a ticket https://fedorahosted.org/fedora-infrastructure/ticket/466
> >
> > Please make suggestions for other apps we could use,  also ideas for making
> > the workflow better.
> >
> > So this is a brief overview of whats needed.  Im going to open the floor
> > for a week for open discussion on how we should best do this.
> >
> > Dennis
> 
> To follow up on this.  Im going to be looking at dogtag first.  Ive had a 
> promise from them to help us when we have issues. 
> 
> OpenCA seems to have stalled development wise.
> 
> ejbca has a very heavy footprint.
> 
> something Custom i think is too big of a task. 
> 
> So people wanting to help with setting up, implementing and testing please 
> raise your hands now.
> 
> Dennis

I would be willing to help.

-Jason
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20080410/80dc7d8d/attachment.bin

More information about the infrastructure mailing list