Re: [Pki-devel] The Why's of PKI
On 09/13/2011 06:41 AM, Adam Young wrote:
The Layout of the PKI project is very unusual for a Java Server
application.
I'm trying to understand the rationale for some of the things
that
were done.
Why do we create a separate server instance for each subsystem?
Because each subsystem is a standalone server.
Is a reason to continue doing so?
It provides great flexibility in deploying Certificate Server
Is using different ports for CA and DRM (an so forth) merely an
artifact of using multiple servers, or is there an additional reason
to do so?
Pkicreate tool allows selecting any ports. Pkicreate also suggests
ports for out of the box ease of use.
Do we expect the same user to have and user different certificates for
different servers,
This is a matter of deployment strategy.
such that the certificate then becomes a union of authentication and
authorization?
Certificates are the source of identity. Authorization is a separate
process based on verified identity.
Is there a reason to separate the CA and DRM Directory servers?
Protection of archived keys.
Is it a "best practice" to do so? What would be the
implications of
using a single instance for both?
Is there any reason why the CA uses an LDAP server instead of a
Relational Database?
X509 certificates are using the same distinguished names as LDAP.
Many identity products are based on directories.
Provides very secure access options.
Provides robust replication over secure channel.
Do we expect people to make queries dircetyl against the CA
DirSrv,
No
or is the Database best hidden from public view?
Why do we split the build process up into multiple Source RPMS?
Is there a reason to maintain this split?
Are there design documents or discussions for these decisions?
Yes, please look for "Legacy Certificate Management System Website" on
the internal CS wiki.
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel