2008/8/21 Toshio Kuratomi <a.badger@xxxxxxxxx>: > Hey bright idea bringers! > > The Fedora Certificates issued by FAS are currently set to be autogenerated > if you have an account in FAS. This has one drawback. We have to keep the > password for the CA keys that sign the FAS certificates in a file on the > filesystem so that the automatic signing can use them. > > Has anyone else had to confront this problem? Right now I'm thinking of > coding something that involves human interaction to sign the certs and send > email notifying people when their cert is ready to download. That's > certainly doable, but introduces a wait time that isn't in the current > design. I'd love input on better ways to do this. > It depends on the level of security we are wanting. The most secure places I have been at always make sure there is a human in the loop, and that human's events are regularly and randomly audited. Even having hardware tokens to generate things (we had a device that was hooked in via a serial port so it did not need a kernel driver) for a high level of CIA you may want a set of humans looking at it. However it puts in a delay. We would put a 24 hour delay in getting/creating certs for people which meant we had time to confirm that the person really was supposed to get it etc.. If the delay and the fact that we aren't doing background checks on applicants, we probably want to do a multi-tier level of creating tokens. One set would be ones that people need to be vetted somehow and have more keys to the kingdom. The other set would be for people doing common work flow at the project. I wonder if we can come up with some serial port key generator. I think the design was a locked box where you keyed in the the master number via itsy-bitty dipswitches. -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
