Barbican/Certmonger

= Barbican & Certmonger Integration = These are rough notes from the discussion had with parts of the Keystone & Barbican teams at the Hong Kong summit. Representation from HP, Redhat and Rackspace as well as others. A non-exhaustive list is below. I didn't capture everyone's names so if I missed you, add yourself.


 * Jarret Raim
 * Paul Kehrer
 * Robert Graham Clark
 * Adam Young
 * 

Certmonger

 * Goal: Enable SSL everywhere
 * Certmonger helps to do that
 * Deals with revocation through understanding cert expiries
 * Doesn't use the ReST APIs on Dogtag
 * Talks XMLRPC to FreeIPA and old Dogtag calls

Establishing Trust

 * How does the certmonger agent talk to the backend for the first time?
 * This conversation is about establishing trust, can be discussed later
 * How to validate that the generated CSR should be trusted?
 * When a new machine is created, it needs an OTP to register that machine
 * Can monger say what trust root? You can use the NSDatabase to switch
 * Use Keystone Kerberos / PKI to auth connection to Barbican backend
 * Delegate ability for clients to generate certs off of a sub-tree

Action Items

 * Barbican should be able to run on Windows to talk to AD?
 * Barbican should look at Dogtag ReST API documentation to inform our APIs
 * Certmonger uses Barbican as backend
 * Barbican will implement / merge standards as needed for Certmonger (PKCS10)
 * Barbican will provide backend plugins for trusts (Dogtag, key czar, PCKS11, KMIP)
 * Think about supporting SCAP