Hi all,
Just landed a big update to the lightweight sub-CAs design proposal:
http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs.
I plan to start the implementing next week. Aside from general
design review, specific things I need input on are:
1)
How to propagate newly-generated sub-CA private keys to clones in
an automated way, and how to store them.
2)
REST API; whether to have a separate resource for sub-CAs, e.g.
``/ca/ee/ca/subca1/...``, or whether to use explicit parameters to
indicate a sub-CAs.
2a)
Similarly, for OCSP - whether to use a single OCSP responder for all
the CAs in an instance or whether to have separate responders for
different [sub-]CAs.
3)
The other main change in the design (I'm open to reconsidering but
the more I thought about it, the more it made sense) is that there
will be one CertificateAuthority object for the sub-CA (as well as
the primary CA), and likewise one CertificateRepository object for
each CA. The certificate repositories will be hierarchical OUs in
LDAP so that it will be straightforward to search all certificates,
or just those that were issued by a particular [sub-]CA. Details
are in the document.
Look forward to your feedback,
Fraser