Bug#827358: ITP: lacme-accountd -- lacme account key manager

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#827358: ITP: lacme-accountd -- lacme account key manager
From: Guilhem Moulin <guilhem@guilhem.org>
Date: Wed, 15 Jun 2016 11:47:20 +0200
Message-id: <[🔎] 20160615094720.GA22241@localhost.localdomain>
Reply-to: Guilhem Moulin <guilhem@guilhem.org>, 827358@bugs.debian.org

Package: wnpp
Severity: wishlist
Owner: Guilhem Moulin <guilhem@guilhem.org>

* Package name    : lacme-accountd
  Version         : 0.1
  Upstream Author : Guilhem Moulin <guilhem@fripost.org>
* URL             : https://git.guilhem.org/lacme/about/
* License         : GPL-3+
  Programming Lang: Perl
  Description     : lacme account key manager

lacme is an ACME client written with process isolation and minimal
privileges in mind.  It is divided into four components, each with its
own executable:

  * A process to manage the account key and issue SHA-256 signatures
    needed for each ACME command.  (This process binds to a UNIX-domain
    socket to reply to signature requests from the ACME client.)  One
    can use the UNIX-domain socket forwarding facility of OpenSSH 6.7
    and later to run this process on a different host.

  * A "master" process, which runs as root and is the only component
    with access to the private key material of the server keys.  It is
    used to fork the ACME client (and optionally the ACME webserver)
    after dropping root privileges.  For certificate issuances, it also
    generates Certificate Signing Requests, then verifies the validity
    of the issued certificate, and optionally reloads or restarts
    services.

  * An actual ACME client, which builds ACME commands and dialogues with
    the remote ACME server.  Since ACME commands need to be signed with
    the account key, the "master" process passes the UNIX-domain socket
    of the account key manager to the ACME client: data signatures are
    requested by writing the data to be signed to the socket.

  * For certificate issuances, an optional webserver, which is spawned
    by the "master" process when no service is listening on the HTTP
    port.  (The only challenge type currently supported is "http-01",
    which requires a webserver to answer challenges.)  That webserver
    only processes GET and HEAD requests under the
    "/.well-known/acme-challenge/" URI.  By default some iptables(8)
    rules are automatically installed to open the HTTP port, and removed
    afterwards.

lacme-accountd is the first (account key manager) component.  It is the
only component with access to the account key.

-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Bug#827357: ITP: lacme -- ACME client written with process isolation and minimal privileges in mind
Next by Date: Bug#827375: ITP: auto-apt-proxy -- automatic detector of common APT proxy settings
Previous by thread: Bug#827357: ITP: lacme -- ACME client written with process isolation and minimal privileges in mind
Next by thread: Bug#827375: ITP: auto-apt-proxy -- automatic detector of common APT proxy settings
Index(es):
- Date
- Thread