Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id BD32C200C56 for ; Fri, 14 Apr 2017 19:21:51 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id B8DA1160BA3; Fri, 14 Apr 2017 17:21:51 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D9BDE160B8A for ; Fri, 14 Apr 2017 19:21:50 +0200 (CEST) Received: (qmail 18388 invoked by uid 500); 14 Apr 2017 17:21:50 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 18375 invoked by uid 99); 14 Apr 2017 17:21:49 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Apr 2017 17:21:49 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 4F12CC0B6D for ; Fri, 14 Apr 2017 17:21:49 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.897 X-Spam-Level: X-Spam-Status: No, score=-0.897 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id C1uyyuJOwrjm for ; Fri, 14 Apr 2017 17:21:47 +0000 (UTC) Received: from mail-pg0-f43.google.com (mail-pg0-f43.google.com [74.125.83.43]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id A8AF35FAF3 for ; Fri, 14 Apr 2017 17:21:46 +0000 (UTC) Received: by mail-pg0-f43.google.com with SMTP id g2so45663895pge.3 for ; Fri, 14 Apr 2017 10:21:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=xcuMOkVJ4HjOyZegXW2Vi8OLYxEtMJFc5lRmyQDdsE4=; b=Yv7s1ulEJlhaAhecFnZXjdPLp2paVje9NHCzGOsfpSrTAM0jS4Qp9sz3IVYSSVa3rM q2xyzYo2bAzmkV7T6CQjEPMrQB1dFsJ0Bd4NuqBkDSE9EyLo506vjke2nYNA7+ISpduO TcAUWNabddLQ5Xcd1JZnfJeW/L+Ol9GGEznsU1w+ij6uv8Qa04VgtYOifpRZa5hHmIR2 /t8mWPq0aaRVq0jTTmKW1VSbp/lXjpKrFYWSQFltIH0WDhPuFVnmfXnaTiH5EgVUxosj +iwTLz93L6a4w7cVkIu3IGUx6Tqej6eGLzU5ELVo1irq9tXqf2hDkvLnpRqO5z7x8zcu 3+3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=xcuMOkVJ4HjOyZegXW2Vi8OLYxEtMJFc5lRmyQDdsE4=; b=WIjZWmunVIn5rVFBUOdFVw628/9rOWzeMM9aCL2GXILJ1dR2kdz16E4ix4mNnELjLE hJ4BJIUgpFwYcpgBsx2WOl0KIrDcY8BF/yvrtqhLCY1DwwArwj6w93PeSyDO+2bz4m+z ColV9hIrabgM74huzgGXERoEtThMtNbF5qV5GQRCHxO6BMN/gH2fPOU4QbABofUwPi2z BS1HoCEGlzvwvCxYcDnSsOczxHLj/4A71AZhDl4O/hoJ6NjG2vwlkHAYj+pa+RQYnbcE 5WnUR58mxNmLaLwiYs2RVJps58N3XPsYdvLFaVsMfRbKirVrtkXKnQ4ymTnMozoQH9cU zt4A== X-Gm-Message-State: AN3rC/43tWMWettcJ629r4kW44xB3nmYcckNSQjGkLhhbyH/dSo6y2qh GeK3fwmsKS508c+P1CI= X-Received: by 10.98.5.69 with SMTP id 66mr8229591pff.88.1492190500435; Fri, 14 Apr 2017 10:21:40 -0700 (PDT) Received: from ?IPv6:2604:5500:16:32c0:d9a:727a:ccea:dd4a? ([2604:5500:16:32c0:d9a:727a:ccea:dd4a]) by smtp.gmail.com with ESMTPSA id m69sm4343788pfc.33.2017.04.14.10.21.39 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 14 Apr 2017 10:21:39 -0700 (PDT) From: John Kinsella Content-Type: multipart/alternative; boundary="Apple-Mail=_029D4560-CA37-4A0E-8451-B800D5A7414F" Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: [DISCUSS][PROPOSAL] CA authority plugin definition Date: Fri, 14 Apr 2017 10:21:37 -0700 References: <7205EFD7-C918-43B9-ABB1-2717465D90D9@shapeblue.com> To: "" In-Reply-To: Message-Id: <51A21084-0907-4773-B7A0-3E5DE876F791@gmail.com> X-Mailer: Apple Mail (2.3273) archived-at: Fri, 14 Apr 2017 17:21:51 -0000 --Apple-Mail=_029D4560-CA37-4A0E-8451-B800D5A7414F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I=E2=80=99d suggest taking a look at using Dogtag[1] as well. Actually, = that=E2=80=99s what the Other Guys also suggest[2]. 1: http://pki.fedoraproject.org/wiki/PKI_Main_Page = 2: https://wiki.openstack.org/wiki/PKI = > On Apr 14, 2017, at 7:57 AM, Simon Weller wrote: >=20 > Daan, >=20 >=20 > What about integrating some like Vault = (https://github.com/hashicorp/vault = )? >=20 >=20 > - Si >=20 > ________________________________ > From: Daan Hoogland > > Sent: Friday, April 14, 2017 5:46 AM > To: dev@cloudstack.apache.org > Subject: [DISCUSS][PROPOSAL] CA authority plugin definition >=20 > Devs, >=20 > Following a discussion with a client they came up with the idea to = create a pluggable CA-framework. A plugin would serve components in = cloudstack that so require (management servers, agents, load balancers, = SVMs, etc.) with certificates answering certificate requests and = validating certificates on request. >=20 > A default plugin can be written that serves according to its own self = signed root certificate and have its own revocation list to be managed = by the admin. Other plugin could forward by mail or web requests to = external parties. >=20 > A CA-plugin will have to >=20 > - Setup, for the default this means creating its certificate, = for others it might mean install an intermediate certificate or = configure a mail, or website address. >=20 > - Accept and answer certificate requests >=20 > o For client certificates >=20 > o For server certificates >=20 > - Accept revocation requests >=20 > - Validate a connection request according to origin and = certificate and . What extra data is is defined by the = plugin and can be credentials or field-definitions referring the x509 = entries or for instance port numbers allowed=E2=80=A6 this is basically = free to the implementer. >=20 > A next step will have to be integrating the request calls with = installs on targets but I think as is this feature merits itself as it = could be used with out of band configuration management tools as well. >=20 > Any thoughts, remarks and critiques are welcome, >=20 > daan.hoogland@shapeblue.com > www.shapeblue.com > > Shapeblue - The CloudStack Company> > www.shapeblue.com > Background Cloudstack relies on a fixed download site when it fetches = the built-in guest VM templates. That download site has historically >=20 >=20 >=20 > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue --Apple-Mail=_029D4560-CA37-4A0E-8451-B800D5A7414F--