Suggested solutions to certificate handling/generation for server/clients using SSL/TLS.

To: Debian-Edu <debian-edu@lists.debian.org>
Subject: Suggested solutions to certificate handling/generation for server/clients using SSL/TLS.
From: "Herman Robak" <herman@skolelinux.no>
Date: Sun, 29 Aug 2004 12:47:11 +0200
Message-id: <[🔎] opsdhpkxtu5056ey@dhcp147.intern>

	Problem: Incomplete or missing SSL support

Webmin, LDAP, CUPS, Apache, IMAP, POP, SMTP (more?) should all have
proper SSL support, with proper (not self-signed) certificates, with
correct names.

Getting a trusted third party to manually sign the server certificates
of all the servers on a Debian-Edu installation will be too cumbersome.
If the servers are only accessed by clients on the internal Debian-Edu
network, creating a local Certification Authority (CA) will be OK.


	Suggested solution

During installation, a CA will be created.  Maybe before all the SSL-
enabled servers are installed, maybe after; that depends on how we
aim to solve the certificate signing.
 If the CA is in place _before_ the SSL-enabled servers, they can
have a pre-install script generate a signing request.  If the CA
responds, and signs the request, the server gets a properly signed
certificate.  If not, it can fall back to a self-signed certificate.
dpkg-reconfigure ought to repeat this process, in case the CA was
not working at install time.
 Design consideration: The servers could "pull" their certificates
by sending a signing request, or the CA could "push" by putting the
certificate and the private key in a predetermined place.


	Required integration with Debian

We need a framework for distributing the CA certificate to all the
clients.  It should happen without human intervention upon installation.

The name space used is supposed to be the same as in DNS and LDAP.
Integration with debconf to get country code and other settings.

SSL-enabled server packages must send certificate signing requests
to the CA (pull), or have the CA generate signed certificates and
a private key for them (push).
 SSL-enabled client packages must append the CA certificate to their
list of trusted signers (pull).  Or the CA must have the ability to
do so for them (push).  Pull is probably the most "future proof".


	Considerations for the long term

Debian-edu may migrate to AFS and Kerberos in the future.  The use
of local, non-unique, names and a NAT firewall may be abandoned.

--
Herman Robak

Reply to:

Prev by Date: xdebconfigurator_1.09_i386.changes ACCEPTED
Next by Date: DESA-2004-013 - libpng: several vulnerabilities
Previous by thread: xdebconfigurator_1.09_i386.changes ACCEPTED
Next by thread: DESA-2004-013 - libpng: several vulnerabilities
Index(es):
- Date
- Thread