pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2016-03-23 01:38:20
This ticket has two FUTURE related tickets:
Open pki-bot opened 4 years ago
pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2016-03-23 01:38:20
This ticket has two FUTURE related tickets:
pki-bot
commented
4 years ago Comment from cfu (@cfu) at 2016-09-22 01:47:31
consider: https://tools.ietf.org/html/rfc7030
pki-bot
commented
4 years ago Comment from cfu (@cfu) at 2017-02-27 14:05:19
Metadata Update from @cfu:
This issue was migrated from Pagure Issue #1491. Originally filed by cfu (@cfu) on 2015-07-15 20:18:46:
With regard to key archival, as an alternative to now broken CRMF with newer Firefox, we can provide server-side key generation and archival for user encryption certificates. Dogtag currently has existing code pieces that do most all of what's needed, we just need to make sure we have end-to-end solution provided readily to be utilized.
With server-side key generation, instead of the traditional CRMF where user keys (for encryption certs) are generated locally on the client machines, and transported securely to the CS server, we generate keys on the server side, and allow users to retrieve their keys and certs in a secure fashion (e.g. ldap auth + one time pin + user-supplied sym key for p12).
==== Possibly another ticket: (will provide link when created) This method would also allow the administrators to pre-generate user keys and certs (maybe even in a bulk fashion) without user involvement, and only need users to pick up his/her cert and keys (much like recovery, but without administrator involvement).
==== This could be a separate ticket: (will provide link when created) Other application would be for renewal, where the CS server could utilize the above mechanism. Once detected that a user enc cert is about to expire, automatic renewal could happen on server side (keys generated, certs issued, client keys/certs sitting ready to be retrieved by users), etc.