MyProxy CA for long term certificates / machine identity
- To: myproxy-users@ncsa.uiuc.edu
- Subject: MyProxy CA for long term certificates / machine identity
- From: "Daniel Clark" <dclark@pobox.com>
- Date: Mon, 9 Apr 2007 14:30:52 -0400
- Content-disposition: inline
- Content-transfer-encoding: 8bit
- Content-type: text/plain; charset=WINDOWS-1252; format=flowed
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=pnvXA4iqoQ/hxf/0oo8vkdjehbe8KKuTuSmhKiJ1yZmNUkXVBisQbVu9wnwTIhKtkIYJE2X9yZS/VOyc4LmF+mS1lgHplO0seNaZQvWX/0U5r3ggx3cASjk7YnvaCxtMIWQyIKU/najiu85pYVmB2Bc+gZO/hGhRGENRNZGijGQ=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=QwIpWZQstLvT4DU6yDrMsB+T3K31mtpuvK5tR1ScyMy1wLJyht2/CccLrB1Yx4fk4UAECEvh/7Dk3iJEFwrcqGwe9iEnuuMfE5McUoRUmF2VOOjtzGz+f+6LVL8v1tm4bY/1p7Q3NdZV54SvdQm28sBMvJvLu6N1qfF53CDfxZs=
- Sender: owner-myproxy-users@ncsa.uiuc.edu
Is anyone using or have any comments on the possibility of using
MyProxy CA to generate long term (1-2 years) certificates for use with
software that expects to use the the long term certificate /
revocation list model instead of the proxy certificate model, such as
IPsec, OpenVPN [1] and Puppet [2]?
I ask because I am currently researching Certificate Authorities to
use with such software [3], and the MyProxy model of generating and
storing the keypairs/certificates on a central server and then handing
them out to authenticated users as needed looks like it would be much
easier to manage than something like OpenCA, OpenXPKI or EJBCA.
I'd also be interested in if anyone is using or have any comments on
the possibility of using MyProxy CA for machine accounts instead of
user accounts - I can see how you could do some cheap hack to get this
to work (e.g. create a bunch of "machineX.domain.com" accounts in the
username/password source MyProxy uses to authenticate users), but I
haven't been able to find any mention of this use case yet via Google.
[1] OpenVPN - An Open Source SSL VPN Solution
http://openvpn.net/
[2] Puppet is system administration — Automated.
http://puppet.reductivelabs.com/
[3] Towards a single PKI for Configuration Management
http://opensysadmin.com/trac/wiki/PkiSecurity
Thanks,
--
Daniel Clark # http://dclark.us # http://opensysadmin.com