EasyPKISpec

Revision 1 as of 2009-11-20 20:03:58

Clear message

Summary

This should provide an overview of the issue/functionality/change proposed here. Focus here on what will actually be DONE, summarising that so that other people don't have to read the whole spec. See also CategorySpec for examples.

Release Note

This section should include a paragraph describing the end-user impact of this change. It is meant to be included in the release notes of the first release in which it is implemented. (Not all of these will actually be included in the release notes, at the release manager's discretion; but writing them is a useful exercise.)

It is mandatory.

Rationale

This should cover the _why_: why is this change being proposed, what justifies it, where we see this justified.

User stories

Assumptions

Design

You can have subsections that better describe specific parts of the issue.

Implementation

This section should describe a plan of action (the "how") to implement the changes discussed. Could include subsections like:

UI Changes

Should cover changes required to the UI, or specific UI that is required to implement this

Code Changes

Code changes should include an overview of what needs to change, and in some cases even the specific details.

Migration

Include:

  • data migration, if any
  • redirects from old URLs to new ones, if any
  • how users will be pointed to the new way of doing things, if necessary.

Test/Demo Plan

It's important that we are able to test new features, and demonstrate them to users. Use this section to describe a short plan that anybody can follow that demonstrates the feature is working. This can then be used during testing, and to show off after release. Please add an entry to http://testcases.qa.ubuntu.com/Coverage/NewFeatures for tracking test coverage.

This need not be added or completed until the specification is nearing beta.

Unresolved issues

This should highlight any issues that should be addressed in further specifications, and not problems with the specification itself; since any specification with problems cannot be approved.

BoF agenda and discussion

UDS discussion notes

Objectives

  • User-friendly interface to certificate generation
  • Service-oriented plugins for deployment and service-specific needs

Options

  • Package easy-rsa
    • Low-cost, but non-extensible
    • Not suitable for all use cases (i.e. it has some bias towards OpenVPN use)
    • Potentially a worthy goal simply for OpenVPN users, since the current packaging is not ideal
    • Upstream designed it from a "run script in CA directory" perspective, will need a delta with upstream to be FHS-compliant
  • upki: rewrite easy-rsa in python, same feature set, extensible for, say, publication
  • openca
    • more complete solution
    • upstream not very active but CAcert still contributing to it

Timeframe

  • easy-rsa for Lucid (or basic upki)
  • upki for the next LTS cycle

Brainstorm

  • Wizard mode, that could help in generating a CSR, showing some snippets of config file, etc
  • Is there an official group to chown certs to? ie: same cert for Postfix + Apache (yes, ssl-cert)
  • How to deal with ssl certs for Apache virtual hosting
  • OpenLDAP: need to work with self-signed (add tls_checkpeer and TLS_REQCERT in the ldap.conf file?)
  • some kind of notification that certificate will expire in X days
    • motd entry, email, nagios/nrpe check
  • install easy-pki with openssl (it should be small, so it won't take prescious resources

CategorySpec