Barbican & Certmonger Integration

These are rough notes from the discussion had with parts of the Keystone & Barbican teams at the Hong Kong summit. Representation from HP, Redhat and Rackspace as well as others. A non-exhaustive list is below. I didn't capture everyone's names so if I missed you, add yourself.

• Jarret Raim
• Paul Kehrer
• Robert Graham Clark
• Adam Young
• <Others>

Certmonger

• Goal: Enable SSL everywhere
  • Certmonger helps to do that
• Deals with revocation through understanding cert expiries
• Doesn't use the ReST APIs on Dogtag
• Talks XMLRPC to FreeIPA and old Dogtag calls

Establishing Trust

• How does the certmonger agent talk to the backend for the first time?
  • This conversation is about establishing trust, can be discussed later
• How to validate that the generated CSR should be trusted?
• When a new machine is created, it needs an OTP to register that machine
• Can monger say what trust root? You can use the NSDatabase to switch
• Use Keystone Kerberos / PKI to auth connection to Barbican backend
• Delegate ability for clients to generate certs off of a sub-tree

Action Items

• Barbican should be able to run on Windows to talk to AD?
  • Barbican should look at Dogtag ReST API documentation to inform our APIs
• Certmonger uses Barbican as backend
• Barbican will implement / merge standards as needed for Certmonger (PKCS10)
• Barbican will provide backend plugins for trusts (Dogtag, key czar, PCKS11, KMIP)
• Think about supporting SCAP