Open Source PKI

From Dogtag

Contents

Dogtag Certificate System 10.0 (Alpha)

What's new?

Dogtag Certificate System 10.0 (Alpha) builds upon Dogtag Certificate System 9.0 and represents an alpha release of the future direction for Dogtag PKI technology.

This release contains the following features:

  1. Extension of the functionality of the DRM to store and retrieve symmetric keys and passphrases, rather than only asymmetric keys. This feature allows the DRM to be used as a secure vault-like storage for essentially any sensitive data. The data is stored using the same secure FIPS-compliant storage mechanism used to store PKI keys.
  2. The new DRM functionality is exposed through a new REST interface, provided by the RESTEasy framework. This provides an intuitive mechanism for writing clients to the interface. Both Java (using the RESTEasy client proxy framework) and Python clients have been coded. The server uses standard Java libraries to generate and parse XML or JSON input and output data.
  3. Extracted authentication and authorization code from the individual servlets into a standard Tomcat authentication realm. This realm has been configured to require client certificate authentication, and is being used to secure the new DRM REST interface. In the future, this authentication realm could be extended to include other kinds of authentication (such as Kerberos). This is part of a push to refactor the code to expose the core business functionality in the servlets, while extracting the ancillary tasks (authentication, authorization, XML parsing and generation, etc.) and using standard methods and libraries to accomplish these tasks.
  4. Enhanced Java subsystems so that they could connect to the internal database using a non-directory manager user, that is authenticated using client authentication. This resolves a number of issues with LDAP operations ignoring search limits. In addition, some changes have been made to allow integrating the Dogtag database with other systems such as IPA.
  5. A new package pki-deploy contains the initial framework for a Python-based installer/de-installer (pkispawn/pkidestroy) that will be used to install and configure a Dogtag instance. This will ultimately replace the pki-setup installer/de-installer (pkicreate, pkidestroy) package, and the pki-silent instance configuration (pkisilent) package.
  6. Much of the focus of this release was on cleaning up and modernizing the Dogtag source code.
    • Dogtag source code has been moved to git.
    • Java coding standards have been revised - and the code has been reformatted to match those standards.
    • Initially, Eclipse reported about 13000 warnings in the dogtag code. Those have been reduced to close to 2400. This included removing dead and unused code, replacing calls to deprecated functions and replacing raw collections with type-safe generics.
      • NOTE: These numbers currently exclude console code.
    • OSUtil is a package that has certain utilities that were not available when the Dogtag code was originally written. These utilities are now available in current standard libraries - and so this package has been eliminated entirely.
    • Improved handling of short and long lived threads which allow threads to exit gracefully on shutdown.

Dogtag Certificate System 9.0

What's new?

Dogtag Certificate System 9.0 represents the latest release of Dogtag PKI technology.

Dogtag Certificate System 9.0 builds upon Dogtag Certificate System 1.3 and provides the following significant changes:

Dogtag Certificate System 1.3

What's new?

Dogtag Certificate System 1.3 was primarily created for integration into the Fedora 13 release.

Dogtag Certificate System 1.3 builds upon Dogtag Certificate System 1.2.0 and provides the following changes:

  • Spec File changes required for integration into the Fedora 13 release
  • Separation of default PKI instance creation from PKI subsystem packaging via means of an integrated 'registry'
  • Numerous Bug Fixes (see Bugzilla Bug Database)
  • Support for 32-bit and 64-bit versions of Fedora 11, Fedora 12, and Fedora 13
  • Support for 32-bit and 64-bit versions of EPEL packages on RHEL 5.5
  • An additional port is now required on the CA for EE client auth interactions. This is required so that the CA can work seamlessly with the latest NSS patches that address the TLS renegotiation MITM vulnerability (CVE-2009-3555). Refer to http://kbase.redhat.com/faq/docs/DOC-23543 for more details.
  • Numerous improvements to cloning, including the ability to clone a clone without referring to the original master as the master of the security domain.
  • Support for asynchronous key recovery.

Currently the TPS and RA subsystems will not work on RHEL5.5 as they require a later version of mod_nss For details on this and other know issues, please review the List of Known Issues

Dogtag Certificate System 1.2.0

What's new?

Dogtag Certificate System 1.2.0 is primarily a bug fix release, with approximately 300 bugs fixed. Improvements have been made to virtually every subsystem.

Dogtag Certificate System 1.2.0 builds upon Dogtag Certificate System 1.1.0 and resolves numerous bugs including:

  • Fixes to installation scripts and the configuration wizard
  • Improvements for the handling of UTF8 Characters
  • Migration script and tool improvements
  • Fixes numerous problems related to HSM configurations
  • Smartcard Middleware and TPS server improvements
  • Fixes the way ECC signature requests are handled
  • New platform support for 32-bit and 64-bit versions of Fedora 11

Further details on all the Dogtag bugs fixed in this release, as well as details on bugs that remain unresolved, can be found at the Bugzilla Bug Database.

Dogtag Certificate System 1.1.0

What's new?

The release of Dogtag Certificate System 1.1.0 serves as the development base for Red Hat Certificate System 8.0.0, and contains the following enhancements:

  • Dogtag Certificate System 1.1.0 builds upon the open source model originally established by Dogtag Certificate System 1.0.0 and adds numerous features including:
    • Enhanced integration with FreeIPA
    • Supports UUID issuance natively
    • Provides data storage by the latest Fedora Directory Server
    • Support for IPv6
    • SELinux policy integration
    • Support for 3rd party ECC plugin modules
    • Numerous smart card enhancements including support for additional hardware tokens and 2048-bit keys
    • Certificate Renewal
    • TPS Roles
    • Support for using HTTP 1.1 for CRL distribution
    • Port Separation of End Entity (EE), Agent, and Admin users
    • Numerous bug fixes and security enhancements
    • Platform support for 32-bit and 64-bit versions of Fedora 8, Fedora 9, and Fedora 10

Dogtag Certificate System 1.0.0

What's new?

This initial release of Dogtag Certificate System 1.0.0 has been heavily modeled after Red Hat Certificate System 7.3.0, and contains the following enhancements:

  • The source code for Dogtag Certificate System 1.0.0 is completely open source!
  • Dogtag Certificate System 1.0.0 separates the user interface (ui) information from the various six top-level subsystems:
    • Certificate Authority (CA),
    • Data Recovery Manager (DRM),
    • Online Certificate Status Protocol (OCSP) Manager,
    • Registration Authority (RA),
    • Token Key Service (TKS), and
    • Token Processing System (TPS).
  • Dogtag Certificate System 1.0.0 provides a built-in mechanism to provide seemless data migration to future releases of this project.
  • Provides a new way to store request attributes. Schema has been changed for this feature.
  • Contains new build scripts
  • Incorporates several new junit tests

Installation

Follow the installation instructions to install and configure the initial instance of each PKI subsystem.

Retrieved from "http://pki.fedoraproject.org/wiki/PKI_Release_Notes"
Account