On 9 Apr 2017, at 11:29, Howard Chu hyc@symas.com wrote:
Turbo Fredriksson wrote:
On 9 Apr 2017, at 04:06, Howard Chu hyc@symas.com wrote:
Only difference might be that the local FS isn’t available _outside_ the host, a directory is.
As soon as a host offers something like ssh, then that distinction is gone too.
True.
Moreover, a secure mechanism for distributing private keys to users is required but nobody ever specifies how to do that. Certainly LDAP/TLS is more manageable than sneakernet and this is more bootstrappable.
Yeah, I’ve been struggling like crazy about this the last couple of months.
There’s many scripts and some products that can be/handle a CA, but no one seems to have thought about the actual distribution of the result(s).
Or how to restrict queries, distribution and what type of cert is/can be requested.
And every link I’ve ever seen about certs, “then copy it securely to the destination”. But no wording on HOW to do that or how to script it (in a more .. “automated” fashion).
Everything I’ve seen about the subject is so darn _complex_! It shouldn’t HAVE to be.
So if you can do something like this, and leave the ACL/policies etc to the admin, using existing functionality (ACL/ACI/ppolicy or whatever), I’d be a very happy man! :)
Are you actually talking about OpenLDAP being a “CA” as well? As in, being able to create certificates by requests, or are you talking about OpenLDAP “only” being the … “backend-storage” for such a tool?