On 09/24/2013 12:06 PM, Petr Spacek wrote: > On 24.9.2013 19:23, Erinn Looney-Triggs wrote: >> I wanted to bring up the idea of integrating TLSA records into FreeIPA >> so that a host that is issued a certificate for say the web server (via >> dogtag) would also publish that information in DNS using a TLSA record. >> This is very much like how SSHFP records are handled now in FreeIPA. >> >> Has this been considered at all? >> >> I am more than happy to write up some more info about this, I just >> wanted to get a preliminary idea of whether this had been considered at >> all... > > You definitely have my +1! > > I'm working on DNSSEC support in FreeIPA, but we didn't went so far in > our plans :-) > > > Please create RFE ticket (request for enhancement): > https://fedorahosted.org/freeipa/newticket > > You will need an Fedora Account, please follow this: > https://fedoraproject.org/wiki/Account_System/NewAccount > > I would recommend you to add your e-mail address to Cc field in the > ticket to get latest updates. > > We can continue with discussion here, of course! >
Ok well here is my vision for this: I believe you folks are building a web and cli based interface via IPA into dogtag. This would tie into that and have something like a check box to publish the certificate hash in DNS. Again this is much like SSHFP records. I don't believe you would want all certificates published via TLSA so it should probably be optional. As well, the certificates would have to have a "purpose" by which I mean a way of differentiating between one for a web server and one for say SMTP. This may tie in with the X509 constraints but I am not sure on that front. A TLSA record looks much like a SRV record, to wit: _443._tcp.www.abaqis.com. IN TLSA 3 0 1 23ceabbd33f8458738de1dcec5662c97f4edb5b6251b498274e2351e7f695a04 So clearly with the port numbers etc included in there, there would need to be a way to mark a certificate as a web certificate etc. The certificate hashes would also of course need to be updated as the certificates are renewed. This may require a tie in to certmonger, though I suspect not. This would be a "very good thing" as TLSA will eventually allow us to circumvent the extremely broken trust model we have with current CAs and FreeIPA looks like a wonderful candidate place to automate exactly this. Requirements: TLSA is not very useful without DNSSEC, which you folks are currently implementing. BIND >= 9.7.6 though earlier versions can use TLSA records this was the version that implemented native handling. Use cases: Honestly at this point there are not a whole lot of programs that can utilize TLSA. The only notable exception that I know of is postfix, which will use TLSA natively if configured to do so (thus alleviating the cottage industry of self signed certificates for smtp server). Documentation here: http://www.postfix.org/TLS_README.html#client_tls_dane There is also a plugin for firefox that will validate TLSA: https://os3sec.org/ A nice primer on TLSA: http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec A program for creating hashes: http://people.redhat.com/pwouters/hash-slinger/ And a bit of an article on its use: http://www.internetsociety.org/deploy360/blog/2012/11/hash-slinger-helps-you-easily-create-tlsa-records-for-dnssec-dane/ And finally a link to the RFE: https://fedorahosted.org/freeipa/ticket/3950 -Erinn
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
