Issue #1491: [RFE] provide server-side key generation and archival for user encryption certificates - dogtagpki

dogtagpki

#1491 [RFE] provide server-side key generation and archival for user encryption certificates

Closed: migrated 3 years ago by dmoluguw. Opened 8 years ago by cfu.

With regard to key archival, as an alternative to now broken CRMF with newer Firefox, we can provide server-side key generation and archival for user encryption certificates. Dogtag currently has existing code pieces that do most all of what's needed, we just need to make sure we have end-to-end solution provided readily to be utilized.

With server-side key generation, instead of the traditional CRMF where user keys (for encryption certs) are generated locally on the client machines, and transported securely to the CS server, we generate keys on the server side, and allow users to retrieve their keys and certs in a secure fashion (e.g. ldap auth + one time pin + user-supplied sym key for p12).

====
Possibly another ticket: (will provide link when created)
This method would also allow the administrators to pre-generate user keys and certs (maybe even in a bulk fashion) without user involvement, and only need users to pick up his/her cert and keys (much like recovery, but without administrator involvement).

====
This could be a separate ticket: (will provide link when created)
Other application would be for renewal, where the CS server could utilize the above mechanism. Once detected that a user enc cert is about to expire, automatic renewal could happen on server side (keys generated, certs issued, client keys/certs sitting ready to be retrieved by users), etc.

mharmsen commented 8 years ago

This ticket has two FUTURE related tickets:

PKI TRAC Ticket #2229 - RFE: stand-alone thin EE clients for various platforms
PKI TRAC Ticket #2241 - RFE: stand-alone thin EE clients for various devices

cfu commented 7 years ago

consider: https://tools.ietf.org/html/rfc7030

Metadata Update from @cfu:
- Issue set to the milestone: UNTRIAGED

7 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2050

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

UNTRIAGED

lowhangingfruit

None

reporter

None

rhbz

None

type

enhancement

version

None

keywords

None

estimate

None

feature

None

origin

Community

proposedpriority

None

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

None

component

Auth

proposedmilestone

None

dogtagpki

Source Code

#1491 [RFE] provide server-side key generation and archival for user encryption certificates Closed: migrated 3 years ago by dmoluguw. Opened 8 years ago by cfu.

Metadata

#1491 [RFE] provide server-side key generation and archival for user encryption certificates

Closed: migrated 3 years ago by dmoluguw. Opened 8 years ago by cfu.