We have come to the realisation that this has to be done sooner rather than later. So i'm putting out a call for help and for feedback. We need to revamp the CA infrastructure used in Fedora. This is where Id like to see us go. Publish a Certificate Revocation list so that all apps can check for revoked certs Have users able to revoke their own cert Have user certs be revoked when they request a new cert Have admins able to create/revoke certs Their are 2 types of certificates currently handled by 2 CA's I really want to use a single CA for all: Type 1) user certs. used for plague/koji/cvs upload access. there is work underway to use these for other fedora web based apps also. Type 2) Builders, kojira, internal service authentication. Products to be evaluated: http://pki.fedoraproject.org/wiki/PKI_Main_Page https://www.openca.org/ http://ejbca.sourceforge.net/ Something custom FAS will need modification to work with the new framework. I also want to allow fedora-packager-setup to grab the cert directly rather than having the user manually do it. probably with a flag for when to get a new cert. All users will need to get new user certs when we make the change. as well as koji hub, all builders, koji garbage collection, bodhi, It would also be a good time to deploy ssl auth for other apps. We have a ticket https://fedorahosted.org/fedora-infrastructure/ticket/466 Please make suggestions for other apps we could use, also ideas for making the workflow better. So this is a brief overview of whats needed. Im going to open the floor for a week for open discussion on how we should best do this. Dennis
Description: This is a digitally signed message part.