Status Stakeholders Add stakeholders Outcome What did you decide? Due date When does this decision need to be made by? Owner Chris Tessmer

Background

In various modules that deal with PKI, parameters such as the following have been observed:

• $enable_pki = true 

  • Does this turn PKI on/off, turn PKI management on/off, turn the SIMP-specific PKI system on/off (see: The New Layout for all SIMP Modules)?

• $use_simp_pki = true

  • Okay, this looks like it explicitly means "Use SIMP's PKI system (e.g., FakeCA, keydist/, pki::copy)"

• $cert_source = '/absolute/path/to/dir'

  • simp-apache: Defines what directory look for certs in a 
  • ALTERNATIVE (simp-rsyslog): 

• $pki_cert_dir = '/same/as/cert_source/w/a/better/name'

Questions

• How should we tell a SIMP module to manage PKI  (at all)?
  • The opposite of manage is "leave it alone."
  • Examples of management: 
    • where to look for certs, cacerts
    • ensure that SSL is on or off
    • ensure that SSL is validated
  • Examples of something other than management: 
    
    • EXTRA: distributing certificates on the filesystem 
      • This is extra because 
    • d

• How should we tell SIMP to use SIMP's pki module vs some other PKI distribution system?

  • Examples: 

    • file-based:

      • simp-pki module's pki::copy from FakeCA

      • simp-beaker-helpers gem's pki_copy_to function.

      • Independent file delivery mechanism (another module, probably need to do nothing)

      • QUESTION: Is it reasonable to always expect PKI cert/key/cacert to be present in the same directory structure as pki::copy?

    • (moonshots, not ) 

      • PKI stored in LDAP?

      • PKI stored in TPM?

Action items

• Type your task here. Use "@" to assign a user and "//" to select a due date.