Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

StatusNOT STARTED
Stakeholders
Outcome
Due date
OwnerChris Tessmer 

Background

In various modules that deal with PKI, parameters such as the following have been observed:

  • $enable_pki = true 

  • $use_simp_pki = true

    • Okay, this looks like it explicitly means "Use SIMP's PKI system (e.g., FakeCA, keydist/, pki::copy)"

  • $cert_source = '/absolute/path/to/dir'

    • simp-apache: Defines what directory look for certs in a 
    • ALTERNATIVE (simp-rsyslog): 

  • $pki_cert_dir = '/same/as/cert_source/w/a/better/name'

 

Questions

  • How should we tell a SIMP module to manage PKI  (at all)?
    • The opposite of manage is "leave it alone."
    • Examples of management: 
      • where to look for certs, cacerts
      • ensure that SSL is on or off
      • ensure that SSL is validated
    • Examples of something other than management: 
      • EXTRA: distributing certificates on the filesystem 
        • This is extra because it needs additional information

  • How should we tell SIMP to use SIMP's pki module vs some other PKI distribution system?

    • Examples: 

      • file-based:

        • simp-pki module's pki::copy from FakeCA

        • simp-beaker-helpers gem's pki_copy_to function.

        • Independent file delivery mechanism (another module, probably need to do nothing)

        • QUESTION: Is it reasonable to always expect PKI cert/key/cacert to be present in the same directory structure as pki::copy?

      • (moonshots, not ) 

        • PKI stored in LDAP?

        • PKI stored in TPM?

Action items

  •  
  • No labels