Soapbox Q series host certificates pictures Jens May

Soapbox (Q series) host certificates pictures Jens, May ’ 19 Utrecht PMA

HOST

CA HOST

Key mgmt CA HOST

Key mgmt CA HOST

Key mgmt config DNS CA HOST

Key mgmt config DNS CA HOST Policy

Key mgmt config DNS CA HOST Policy infra

Key mgmt config DNS CA HOST CRL Policy infra

Key mgmt config DNS CA OCS P HOST CRL Policy infra

Key mgmt config DNS CA CT OCS P HOST CRL Policy infra

Notes • Certificate issuances – It has the right names (CN, SANs) – config, DNS – It is authorised/member. Of/etc – config, policy – Generated keys – host, keymgmt • Revocation – Anyone can request revocation – But not all are equal: sysadmin, RA ops, CA ops – Add: einfra secops – Adding automated agents for immediate rev.

Thoughts on hosts and robots • 1 year lifetime (= 400 days) is a compromise – Initial request – Renewal (changing key, expiry) – Change request (changing key, adding/removing SANs)

Can we streamline the issuance of hosts and robots? • What is required? – APIs (automation of authorised agents) • • Issuance CCRs, renewal Policy checks Revocation – Involve RPs’ authorised parties • Transparency, e. g. through CT – Need to use/translate CT (somehow) • Corollary: lifetime can be longer (or shorter)

Praeterea Censeo • CAOPS – Place to go and share innovation – Sometimes deployed first and asked questions later • Like questions: – How can we use CT? (if at all) – There already standard or “standard” APIs for many things (CMS, CMP, SCEP, etc. ) – Also the SAML ones