Open Stack

On 11/01/2013 03:10 PM, Clark, Robert Graham wrote:
> Support for ADCS and EJBCA would make sense.
Good to hear it.  I'd come across them, but didn't know how well 
supported they were.

>
> I wasn’t aware of the Chef-SSL project, quite interesting. In my experience the hard part with CA operations is actually the Registration Authority, ensuring that the requesting party has a right to the certificate is one of the main roles of the RA and with client-side generation (without out-of-band attestation) you quickly run into a chicken and egg type problem.
Dogtag, EJBCA and ADCS I think all have solutions to this, which are 
somewhat different.  I suspect that could be abstracted away from the 
Certmonger piece.
>
> A long time ago I wrote half of a very light weight restful CA with a very simple API and delegated certificate issuing (So you could grant permissions to create certificates on certain sub domains) - I keep threatening to turn it into something real. I’m not convinced that any of the platforms out there meet the needs we have very well. I should look more closely at Certmonger, maybe this will fit the bill!
Certmaster is the equivalent:

https://fedorahosted.org/certmaster/

XML-RPC based, so a RESTful augmentation would be very nice.

THen again, we also have Barbican.  Lets make sure we are not 
duplicating effort.

>
> From: Bryan Payne <bdpayne at acm.org<mailto:bdpayne at acm.org>>
> Date: Tuesday, 29 October 2013 19:20
> To: "ayoung at redhat.com<mailto:ayoung at redhat.com>" <ayoung at redhat.com<mailto:ayoung at redhat.com>>
> Cc: "openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>" <openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>>
> Subject: Re: [Openstack-security] Certmonger
>
>
> We need an approach for SSL everywhere:  it is one of the issues rasied in the security guide.  Thus, the default deployment needs to show how to set that up.
>
> Makes sense to me.
> -bryan