#3872 [RFE] Add Password Vault (KRA) functionality
Closed: Fixed None Opened 8 years ago by nkinder.

Add PKI KRA component (Vault) to allow secure central storage of user private information (passwords, keys, ...). The feature will utilize Dogtag DRM subsystem.

Related: #4336, #4176, https://fedorahosted.org/389/ticket/47904


Looks Good To Me.
Reflects completely the preliminary design discussions I and Nathan had.

The design does not cover the UI case when the client is the browser. If there are no concerns that everything mentioned can be implemented on the client side inside the browser then this needs to be spelled out. If there are issues then there should be a provisions in the document to address them.

Per the UI I was thinking that too. I don't think it would be safe to send the user's encryption password to the server. I don't know the crypto capabilities of Javascript, and it is probably a bad idea to do it there in any case, so I don't know how we work around that.

There are some references to the KRA. This is the implementation of the DRM, but it should probably be made explicit.

Will we want to be able to limit who can create vault accounts or is it open to all?

There should probably be a section on administrative retrieval of a vault account.

Replying to [comment:3 rcritten]:

Per the UI I was thinking that too. I don't think it would be safe to send the user's encryption password to the server. I don't know the crypto capabilities of Javascript, and it is probably a bad idea to do it there in any case, so I don't know how we work around that.

The browser case would be difficult. I need to give it some more thought, but I will add something to the design page in the meantime to say this is TBD.

There are some references to the KRA. This is the implementation of the DRM, but it should probably be made explicit.

Good catch. I changed these to all use the same naming (DRM).

Will we want to be able to limit who can create vault accounts or is it open to all?

There should probably be a section on administrative retrieval of a vault account.

Agreed. I will add an "Administrative Retrieval" workflow that details how this will differ from the normal retrieval case.

Installation patch is in master:

Tickets #4503, #4504, #4505 track bugs/missing features in installation. Plugin code is still to be written.

This is blocked by a limitation in NSSConnection (ticket #4638).

The missing python-nss functionalities can also be provided by python-cryptography using OpenSSL backend, but currently python-cryptography is not on Fedora yet:

master:

master:

  • df1bd39 Added vault-archive and vault-retrieve commands.

master:

  • 81729e2 vault: Move vaults to cn=vaults,cn=kra
  • e7ac57e vault: Fix ipa-kra-install

master:

  • fc5c614 Added symmetric and asymmetric vaults.
  • 475ade4 Added ipaVaultPublicKey attribute.
  • bf6df3d Added vault access control.

This was the final patch set that made the cut for FreeIPA 4.2 release. The required functionality is there, as described in

http://www.freeipa.org/page/V4/Password_Vault_1.0

Next enhancements are due for next releases.

Metadata Update from @nkinder:
- Issue assigned to edewata
- Issue set to the milestone: FreeIPA 4.2

4 years ago

Login to comment on this ticket.

Metadata