Open Stack

On 11/04/2013 06:59 PM, Clark, Robert Graham wrote:
>
> On 02/11/2013 15:55, "Adam Young" <ayoung at redhat.com> wrote:
>
>>
>>
>> On 11/01/2013 03:10 PM, Clark, Robert Graham wrote:
>>> Support for ADCS and EJBCA would make sense.
>> Good to hear it.  I'd come across them, but didn't know how well
>> supported they were.
>>
>>> I wasn¹t aware of the Chef-SSL project, quite interesting. In my
>>> experience the hard part with CA operations is actually the Registration
>>> Authority, ensuring that the requesting party has a right to the
>>> certificate is one of the main roles of the RA and with client-side
>>> generation (without out-of-band attestation) you quickly run into a
>>> chicken and egg type problem.
>> Dogtag, EJBCA and ADCS I think all have solutions to this, which are
>> somewhat different.  I suspect that could be abstracted away from the
>> Certmonger piece.
> They do but they¹re all horrible. EJBCA requires identity profiles for
> every request, a major headache and very hard to manage in dynamic
> environments. ADCS only works nicely if all your machines are domain
> joined in just the right way, Dogtag I¹m not sure about but I suspect it
> has similar constraints.
Dogtag is fairly flexible.  What approach are you thinking of for 
proving that the requesting party is allowed to request a certificate?

I do agree with Adam that using Certmonger as an abstraction layer is a 
good idea.

-NGK
>
>
>>> A long time ago I wrote half of a very light weight restful CA with a
>>> very simple API and delegated certificate issuing (So you could grant
>>> permissions to create certificates on certain sub domains) - I keep
>>> threatening to turn it into something real. I¹m not convinced that any
>>> of the platforms out there meet the needs we have very well. I should
>>> look more closely at Certmonger, maybe this will fit the bill!
>> Certmaster is the equivalent:
>>
>> https://fedorahosted.org/certmaster/
>>
>> XML-RPC based, so a RESTful augmentation would be very nice.
>>
>> THen again, we also have Barbican.  Lets make sure we are not
>> duplicating effort.
> Interesting, I¹m keen to understand more about the x509 stuff in Barbican
> and I¹ve added Certmaster to the list of things to look into.
>
>>> From: Bryan Payne <bdpayne at acm.org<mailto:bdpayne at acm.org>>
>>> Date: Tuesday, 29 October 2013 19:20
>>> To: "ayoung at redhat.com<mailto:ayoung at redhat.com>"
>>> <ayoung at redhat.com<mailto:ayoung at redhat.com>>
>>> Cc:
>>> "openstack-security at lists.openstack.org<mailto:openstack-security at lists.o
>>> penstack.org>"
>>> <openstack-security at lists.openstack.org<mailto:openstack-security at lists.o
>>> penstack.org>>
>>> Subject: Re: [Openstack-security] Certmonger
>>>
>>>
>>> We need an approach for SSL everywhere:  it is one of the issues rasied
>>> in the security guide.  Thus, the default deployment needs to show how
>>> to set that up.
>>>
>>> Makes sense to me.
>>> -bryan
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security