On Tuesday 25 March 2008, Dennis Gilmore wrote: > We have come to the realisation that this has to be done sooner rather than > later. So i'm putting out a call for help and for feedback. > > We need to revamp the CA infrastructure used in Fedora. > > This is where Id like to see us go. > > Publish a Certificate Revocation list so that all apps can check for > revoked certs > > Have users able to revoke their own cert > Have user certs be revoked when they request a new cert > Have admins able to create/revoke certs > > Their are 2 types of certificates currently handled by 2 CA's I really > want to use a single CA for all: > > Type 1) user certs. used for plague/koji/cvs upload access. there is > work underway to use these for other fedora web based apps also. > > Type 2) Builders, kojira, internal service authentication. > > > Products to be evaluated: > > http://pki.fedoraproject.org/wiki/PKI_Main_Page > https://www.openca.org/ > http://ejbca.sourceforge.net/ > Something custom > > FAS will need modification to work with the new framework. I also want to > allow fedora-packager-setup to grab the cert directly rather than having > the user manually do it. probably with a flag for when to get a new cert. > > All users will need to get new user certs when we make the change. as well > as koji hub, all builders, koji garbage collection, bodhi, It would also be > a good time to deploy ssl auth for other apps. > > We have a ticket https://fedorahosted.org/fedora-infrastructure/ticket/466 > > Please make suggestions for other apps we could use, also ideas for making > the workflow better. > > So this is a brief overview of whats needed. Im going to open the floor > for a week for open discussion on how we should best do this. > > Dennis To follow up on this. Im going to be looking at dogtag first. Ive had a promise from them to help us when we have issues. OpenCA seems to have stalled development wise. ejbca has a very heavy footprint. something Custom i think is too big of a task. So people wanting to help with setting up, implementing and testing please raise your hands now. Dennis
Description: This is a digitally signed message part.