Open Stack

Adam,

Can you provide a little more detail on what pieces of OpenStack you are
imagining would integrate with Certmonger?  I think some concrete examples
of why this is needed would go a long ways towards helping to spark some
discussion here.  But you've piqued my interest and I'd like to hear more.
 I'd certainly attend a session on this on Hong Kong, for what it's worth.

Cheers,
-bryan



On Mon, Oct 28, 2013 at 10:04 AM, Adam Young <ayoung at redhat.com> wrote:

> PKI requires infrastructure, more than the OpenStack project can really
> dictate.  What OpenStack needs is a strategy to integrate in with existing
> PKI systems.
>
> Certmonger https://fedorahosted.org/**certmonger/<https://fedorahosted.org/certmonger/> is a tool from the Fedora project for integrating with a remote
> Certificate Authority. As such, it seems to fill the gap in our strategy.
>  It can:
>
>
>  Perform all of the local tasks for certificate request generation
>  Monitor and request new certificates prior to expiration.
>  Handle both NSS and OpenSSL local storage formats.
>
> Currently, Certmonger works against FreeIPA/Dogtag
> http://pki.fedoraproject.org/**wiki/PKI_Main_Page<http://pki.fedoraproject.org/wiki/PKI_Main_Page>and Certmaster
> https://fedorahosted.org/**certmaster/<https://fedorahosted.org/certmaster/>
> .
>
> I'd like to propose that we make Certmonger the focus for our X509
> management strategy.  In order to do that, we need to ensure that
> Certmonger can support a large enough array of CA request formats.
>
> Beyond the ones listed above, what are people concerned with supporting
> for CA software?  THe Wikipedia list of Open Source CA implementations
> https://en.wikipedia.org/wiki/**Certificate_authority#Open_**
> source_implementations<https://en.wikipedia.org/wiki/Certificate_authority#Open_source_implementations>is fairly short.  What are the dominant APIs that we need to support?
>
> Many people might be tempted to follow the advice of "Just let puppet
> handle it."  I'm not certain that this is the right approach.  Disregarding
> the shops that don't use Puppet or a comparable other Configuration
> management tool, it appears that Puppet performs "Master side" certificate
> generation, and not following the best practice of keeping the key in
> secure storage on the client.  I'd be interested in hearing more feedback
> on this. However, it seems to me that Puppet and Certmonger should be able
> to work together, with Certmonger managing the logic for generating
> certificate requests and Puppet performing the marshalling:  or maybe
> Certmonger can just talk directly to the Puppet CA.
>
> I am not certain that the Puppet CA is doing Revocations or OCSP, either,
> one or the other required for a full X509 implementation.
>
> It looks like Chef is also getting into the CA business.
> http://www.cryptocracy.com/**blog/2013/04/20/very-simple-**
> x509-pki-with-chef<http://www.cryptocracy.com/blog/2013/04/20/very-simple-x509-pki-with-chef>
>
> I've submitted a session for this under Devstack, as there is no general
> purpose "Security" heading. http://summit.openstack.org/**cfp/details/363<http://summit.openstack.org/cfp/details/363> However, it might be too late to schedule it. I will try to put together
> an unconference session to discuss this, in conjunction with the Security
> team.
>
>
> ______________________________**_________________
> Openstack-security mailing list
> Openstack-security at lists.**openstack.org<Openstack-security at lists.openstack.org>
> http://lists.openstack.org/**cgi-bin/mailman/listinfo/**openstack-security<http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131029/ed023091/attachment.html>