[Freeipa-users] Use of FreeIPA or FreeIPA LDAP server to hold private keys

Dmitri Pal dpal at redhat.com
Wed Aug 3 22:04:23 UTC 2011 

On 08/03/2011 02:29 PM, Adam Young wrote:
> On 08/03/2011 01:16 PM, Ian Stokes-Rees wrote:
>>
>>
>> On 8/3/11 12:38 PM, Adam Young wrote:
>>> I think what you are interested in is the Data Recovery Manager
>>> (DRM...hey, we had the acronym first, but we also call it Key
>>> Recovery  )  aspect of Certificate Server.
>>
>> That is awesome.  That is exactly what I want.
>>
>> Do you have experience with this?  If so, does it work if the
>> certificate requests are being handled by an external entity?  We use
>> a Department of Energy CA located in California, but the users in our
>> community are from across the US (and international), and we're
>> looking to improve the process of them acquiring a usable "identity"
>> in a federated environment.  We're using FreeIPA internally, but if
>> we can link it in to the cert request process and cert mgmt process
>> (from the user end, not the CA end) that would be great.
>>
>> Ian
> Experience?  I've been on the Dogtag  project for over a week now. 
> I'm learning about it as we speak.
>
> The place to ask about Dogtag and the pki products is
> pki-users at redhat.com
> <http://www.redhat.com/mailman/listinfo/pki-users>   and the IRC
> Channel on freednode is *#dogtag-pki.
>
> *Integrating KRA into IPA is on the map, although I am not sure the
> timeframe.  However, I suspect that our approach would be assuming you
> wanted your own CA.  Not sure if you can do KRA with**an external CA.*
> *
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

DRM is the way to go. However it does not support symmetric keys now.
This is the pert that we need for volume keys. May be it is the vault to
store all sorts of keys. This is something that needs to be designed and
looked at as a broader perspective.
Adam likes to repeat a phase about dreaming big so I do. I want IPA to
be a vault for all sorts of keys and passwords and what else. If DRM is
the answer - great.
I can start listing the use cases that such a key store should satisfy
and we can design something that would altimately fit the build but
build gradually knocking use cases one by one.
I will take an action idem to come with the use cases. Give me couple
weeks as I am under water now...


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110803/150a180f/attachment.htm>

More information about the Freeipa-users mailing list