Explore the process of streamlining the issuance of hosts and robots in certificate management, addressing aspects like automation, policy checks, revocation, and transparency through Certificate Transparency (CT). Discover the potential for longer or shorter certificate lifetimes and the need for APIs and involvement of authorized parties in the issuance and renewal process.
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
Key mgmt config DNS CA HOST CRL OC SP Policy infra
Key mgmt config DNS CA HOST CRL OC SP CT Policy infra
Notes Certificate issuances It has the right names (CN, SANs) config, DNS It is authorised/memberOf/etc config, policy Generated keys host, keymgmt Revocation Anyone can request revocation But not all are equal: sysadmin, RA ops, CA ops Add: einfra secops Adding automated agents for immediate rev.
Thoughts on hosts and robots 1 year lifetime (= 400 days) is a compromise Initial request Renewal (changing key, expiry) Change request (changing key, adding/removing SANs)
Can we streamline the issuance of hosts and robots? What is required? APIs (automation of authorised agents) Issuance CCRs, renewal Policy checks Revocation Involve RPs authorised parties Transparency, e.g. through CT Need to use/translate CT (somehow) Corollary: lifetime can be longer (or shorter)
Praeterea Censeo CAOPS Place to go and share innovation Sometimes deployed first and asked questions later Like questions: How can we use CT? (if at all) There are already standard or standard APIs for many things (CMS, CMP, SCEP, etc.) Also the SAML ones
