The idea is that there will be a way for a requestor to send apayload to IPA server (or one of its services) with metadata and request a signature. The requester can be authenticated in different ways (password, cert, kerberos, OTP). There should be access control who can request what signing capabilities.

Simo thought that may be this can be solved by Custodia or even a separate project.
His concern is that framework has too many privileges regarding certificates.

Another though that I had was that we can have special purpose subCAs. Those SubCAs would be scoped to a specific group and would allow only signing rather than issuance of the certificates. I do not know whether this mitigates Simo's concerns.

The driver for this requirement is for different projects to be able to sign their images and packages. With docker packaging the need to sign images in an automated fashion becomes really valuable. It might be beneficial is for projects like Fedora, CentOS, Gnome etc.