Soapbox Q series host certificates pictures Jens May
Soapbox (Q series) host certificates pictures Jens, May ’ 19 Utrecht PMA
HOST
CA HOST
Key mgmt CA HOST
Key mgmt CA HOST
Key mgmt config DNS CA HOST
Key mgmt config DNS CA HOST Policy
Key mgmt config DNS CA HOST Policy infra
Key mgmt config DNS CA HOST CRL Policy infra
Key mgmt config DNS CA OCS P HOST CRL Policy infra
Key mgmt config DNS CA CT OCS P HOST CRL Policy infra
Notes • Certificate issuances – It has the right names (CN, SANs) – config, DNS – It is authorised/member. Of/etc – config, policy – Generated keys – host, keymgmt • Revocation – Anyone can request revocation – But not all are equal: sysadmin, RA ops, CA ops – Add: einfra secops – Adding automated agents for immediate rev.
Thoughts on hosts and robots • 1 year lifetime (= 400 days) is a compromise – Initial request – Renewal (changing key, expiry) – Change request (changing key, adding/removing SANs)
Can we streamline the issuance of hosts and robots? • What is required? – APIs (automation of authorised agents) • • Issuance CCRs, renewal Policy checks Revocation – Involve RPs’ authorised parties • Transparency, e. g. through CT – Need to use/translate CT (somehow) • Corollary: lifetime can be longer (or shorter)
Praeterea Censeo • CAOPS – Place to go and share innovation – Sometimes deployed first and asked questions later • Like questions: – How can we use CT? (if at all) – There already standard or “standard” APIs for many things (CMS, CMP, SCEP, etc. ) – Also the SAML ones
- Slides: 15