He posted a follow up on why he took it down:
https://plus.google.com/110981030061712822816/posts
OK, lets assume that Dogtag PKI is going to be wildly successful. Cuz,
we all know that to be the fact. By wildly successful I mean that there
is an installation in many companies. Everyone in that company that
needs a certificate, that needs decent PKI infrastructure has access to
one. How are they going to use it?
Lots of ways. Too many to count. Some will do what Candlepin is doing
and use it to track who can connect to what network. The legal
department will use it to sign documents. IT will use it to make sure
that only trusted people can get into the datacenter. All the use cases
we currently know about and more.
For example, Web Single Sign on is a big deal these days, but when you
get right down to it, all the implementation resolve to: redirect to
this server over here and log on with your userid and password.
Userid and password? What is this, 1983?
Login:pfalker:
Password:Joshua.
Would you like to play a nice game of chess?
Kerberos is a much better solution. The only problem is that it goes
through ports other than the universally sanctioned 80/443. So, unless
a means to proxy Kerberos via 443 comes around, and then gets
implemented in all browsers, Kerberos will be restricted to inside the
corporate firewall.
If only there were a cryptographically secure way to log into a web
application that worked in all browsers and through standard ports...
OK, so Web Single Sign on could easily be the killer app for Dogtag.
But we don't need to bet the farm on it. We need to make it so that
everyone can use Dogtag, and use it easily. A good, web services based
API is "Necessary but not sufficient." What else do we need?
Dogtag does an innovative form of Authentication. It uses the Client
certificate to find out who you are, and then looks up in LDAP to find
out the rest of your user information. This mechanism needs to be made
into a reusable authentication Realm so it can be used by other
applications running in Tomcat and JBoss.
Down the road, we will want to port it to HTTPD as well as to talk JDBC
to a Relational Databases as well, but really, if we are successful,
someone else out there may just take care of that for us.
We know need to make it easy to install. We are looking at pkicreate
and pkisilent with an eye to streamlining and simplifying the install
process.
We need examples of people using Dogtag. eCommerce, Legal, Medical
(HIPPA!), Educational sites that use Dogtag as their PKI implementation.
We need to get the word out. The long time Dogtag developers are the
people who know PKI better than anyone. Not in the abstract sense, but
in the "Done it in the real world, under load, for very important
systems" sense. Dogtag is a mature, complete, Open Source, PKI
implementation. When you search Google for "Open Source PKI", you
should have to scroll to the second page to find a mention of something
other than Dogtag or one of its derivatives.