EasyPKISpec
Launchpad Entry: server-lucid-easy-pki
Created:
Contributors:
Packages affected:
Summary
This should provide an overview of the issue/functionality/change proposed here. Focus here on what will actually be DONE, summarising that so that other people don't have to read the whole spec. See also CategorySpec for examples.
Release Note
This section should include a paragraph describing the end-user impact of this change. It is meant to be included in the release notes of the first release in which it is implemented. (Not all of these will actually be included in the release notes, at the release manager's discretion; but writing them is a useful exercise.)
It is mandatory.
Rationale
This should cover the _why_: why is this change being proposed, what justifies it, where we see this justified.
User stories
Assumptions
Design
You can have subsections that better describe specific parts of the issue.
Implementation
This section should describe a plan of action (the "how") to implement the changes discussed. Could include subsections like:
UI Changes
Should cover changes required to the UI, or specific UI that is required to implement this
Code Changes
Code changes should include an overview of what needs to change, and in some cases even the specific details.
Migration
Include:
- data migration, if any
- redirects from old URLs to new ones, if any
- how users will be pointed to the new way of doing things, if necessary.
Test/Demo Plan
It's important that we are able to test new features, and demonstrate them to users. Use this section to describe a short plan that anybody can follow that demonstrates the feature is working. This can then be used during testing, and to show off after release. Please add an entry to http://testcases.qa.ubuntu.com/Coverage/NewFeatures for tracking test coverage.
This need not be added or completed until the specification is nearing beta.
Unresolved issues
This should highlight any issues that should be addressed in further specifications, and not problems with the specification itself; since any specification with problems cannot be approved.
BoF agenda and discussion
UDS discussion notes
Objectives
- User-friendly interface to certificate generation
- Service-oriented plugins for deployment and service-specific needs
Options
- Package easy-rsa
- Low-cost, but non-extensible
- Not suitable for all use cases (i.e. it has some bias towards OpenVPN use)
- Potentially a worthy goal simply for OpenVPN users, since the current packaging is not ideal
- Upstream designed it from a "run script in CA directory" perspective, will need a delta with upstream to be FHS-compliant
- upki: rewrite easy-rsa in python, same feature set, extensible for, say, publication
- openca
- more complete solution
- upstream not very active but CAcert still contributing to it
Timeframe
- easy-rsa for Lucid (or basic upki)
- upki for the next LTS cycle
Brainstorm
- Wizard mode, that could help in generating a CSR, showing some snippets of config file, etc
- Is there an official group to chown certs to? ie: same cert for Postfix + Apache (yes, ssl-cert)
- How to deal with ssl certs for Apache virtual hosting
- OpenLDAP: need to work with self-signed (add tls_checkpeer and TLS_REQCERT in the ldap.conf file?)
- some kind of notification that certificate will expire in X days
- motd entry, email, nagios/nrpe check
- install easy-pki with openssl (it should be small, so it won't take prescious resources