QUESTIONS related to authentication

[smithbk]

I'm new to CFSSL and have some questions related to authentication. Thanks in advance.

1) In cfssl/cli/serve/serve.go, I see the "authsign" endpoint ... which is the authenticated version of "sign". Is the plan to add an "auth" version of all/most other endpoints as well?

2) I would like to add more endpoints and also add security to all existing endpoints as non-obtrusively to the existing serve.go code as possible. A public method to add a new endpoint would obviously be nice. But in order to add security to existing endpoints, it seems a middleware pattern (like express or sinatra) would work well. However, since each Handle method performs it's own ioutil.ReadAll of the request body, it makes this pattern impossible, right? Could the code be changed to use gorilla/mux or something else express or sinatra-like to make this possible?

3) The "newcert" endpoint returns a private key. I thought private keys should never flow over the network. Is this standard or recommended?

Thanks

[kisom]

We have thought about adding an auth endpoint to newcert, but we haven't added it in yet.

CFSSL was designed, for our use case, to be used behind another web service or frontend that handles authentication and access control. We don't really make use of middleware right now.

The newcert endpoint is designed for a CFSSL instance running on localhost so that local services can use the CFSSL with a remote endpoint to provide a certificate and private key.

Hopefully this helps.