On Thu, 2008-04-10 at 15:17 -0500, Dennis Gilmore wrote: > On Tuesday 25 March 2008, Dennis Gilmore wrote: > > We have come to the realisation that this has to be done sooner rather than > > later. So i'm putting out a call for help and for feedback. > > > > We need to revamp the CA infrastructure used in Fedora. > > > > This is where Id like to see us go. > > > > Publish a Certificate Revocation list so that all apps can check for > > revoked certs > > > > Have users able to revoke their own cert > > Have user certs be revoked when they request a new cert > > Have admins able to create/revoke certs > > > > Their are 2 types of certificates currently handled by 2 CA's I really > > want to use a single CA for all: > > > > Type 1) user certs. used for plague/koji/cvs upload access. there is > > work underway to use these for other fedora web based apps also. > > > > Type 2) Builders, kojira, internal service authentication. > > > > > > Products to be evaluated: > > > > http://pki.fedoraproject.org/wiki/PKI_Main_Page > > https://www.openca.org/ > > http://ejbca.sourceforge.net/ > > Something custom > > > > FAS will need modification to work with the new framework. I also want to > > allow fedora-packager-setup to grab the cert directly rather than having > > the user manually do it. probably with a flag for when to get a new cert. > > > > All users will need to get new user certs when we make the change. as well > > as koji hub, all builders, koji garbage collection, bodhi, It would also be > > a good time to deploy ssl auth for other apps. > > > > We have a ticket https://fedorahosted.org/fedora-infrastructure/ticket/466 > > > > Please make suggestions for other apps we could use, also ideas for making > > the workflow better. > > > > So this is a brief overview of whats needed. Im going to open the floor > > for a week for open discussion on how we should best do this. > > > > Dennis > > To follow up on this. Im going to be looking at dogtag first. Ive had a > promise from them to help us when we have issues. > > OpenCA seems to have stalled development wise. > > ejbca has a very heavy footprint. > > something Custom i think is too big of a task. > > So people wanting to help with setting up, implementing and testing please > raise your hands now. > > Dennis I would be willing to help. -Jason
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
