[Pki-devel] Lightweight CAs key replication design

Hi team, Lightweight CA key replication is taking shape. I have updated the design page with juicy details: http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs#Key_replication Could interested parties and Simo please eyeball it. Simo, I particularly want your feedback on feasibility / implications of creating a Kerberos principal for each CA replica which will be authorised as a Custodia client to retrieve sub-CA signing keys. Alternatively, instead of adding another principal could we use the existing HTTP/<hostname>@<realm> principal as the Custodia client? I entertained implementing TLS certificate authentication for Custodia so that we could authenticate using e.g. CA subsystem cert but felt that GSS-API would be a smoother path, becaues we already have Python client code for IPA. The implementation is in-progress; most of the core Java bits are done, but not yet the IPA-specific KeyRetriever implementation nor the Python helper program. Cheers, Fraser P.S. I made a number of other updates to the design page - mostly updates to bring it in line with what's already been implemented.