PKI Wishlist

From Dogtag
Jump to: navigation, search

This page contains features we'd like to see in the project. Can you help? Please check our Roadmap also.

General Requests

Misc Features

  • Better Active Directory integration
    • issuing certificates to servers running in Windows via Auto Enrollment Proxy
  • Better integration between Fortitude (mod_nss) and CS
    • automated certificate issuance and renewal
  • OS integration
    • automatic CA discovery
    • centralized policy management
  • Make subsystem smaller and faster
  • Implement a new subsystem to management CRLs, CA certificates (Trust Management Server)
  • Implement document signing subsystem
  • Implement time stamping subsystem
  • Provide user interface to the security domain where subsystem infomation is stored
  • Implement service discovery for the CA service
  • Provide backup and restore capability so that certificates and requests can be migrated easily
  • Integrate log4j into the server

Shared PKI Subsystem Enhancement Requests

Common Features

  • Change the backend to use a sql server
  • Change Java-based console to web-based
  • Provide better UI-based management utility
  • Integrate velocity (template system) into the subsystem
  • Better exception and error handling throughout the server
  • Create symmetric key calls in the JSS library and integrate this new API in pki-symkey
  • Remove the osutil library
  • Improve the startup and shutdown time of the Java servers

Util Features

  • Remove the dependencies on netscape.security.*
    • Change the server to use JSS's ASN.1 decoding/encoding
  • Remove the dependencies on sun.io.*

Individual Server-Side PKI Subsystem Enhancement Requests

Certificate Authority Features

  • Improve the way how we handle large CRLs
  • Implement CMP protocol
  • Make it smaller and more self-contained so that it can be embedded into other applications
  • Support kerberos authentication plugin for enrollment
  • Improve HSM and CA integration, make installing and debugging HSM easier
  • IPA Integration
  • mod_nss Integration
  • Update the user interface with Web 2.0 style
  • Intergrate JAAS Authentication framework into the server
  • Support multiple signing keys within the same instance
  • Support EV certificate profile

Data Recovery Manager Features

  • Need cleaner interface between CA and DRM. Potentially use XML-based protocol.

Online Certificate Status Protocol Manager Features

  • Improve performance
  • Support SCVP
  • Intergrate path validation service

Registration Authority Features

  • Support SCEP encoding/decoding natively in RA.
    • RA currently does not have any ASN.1 facility, and it relies on CA to encode the SCEP and return authentication information back.
  • Support SQL engine other than SQLite
  • Support multiple-level agent approvals
  • Support more authentication types (SQL, flatfile, ...etc)

Token Key Service Features

  • Provide management UI to manage master keys

Token Processing System Features

  • Build a small TPS that has CA/TKS/TPS functionalities all in one
  • Implement TPS in Java
  • Support TPS cloning
  • Consolidate the token management UI and the security officer UI
  • Clean up the protocol between TPS and ESC

PKI Subsystem Tools Enhancement Requests

Java Tools

  • Improve startup time
  • Consider to provide user interfaces to some of the tools

Native Tools

  • Create man pages for the native tools
  • Provide a set of command line utilities, that can be bundled in the base OS, that will enroll, renew certificate in Apache web servers, Machines

Individual Client-Side PKI Subsystem Enhancement Requests

Enterprise Security Features

  • Need ways to enroll a token without the backend (TPS, CA, TKS...etc)
  • Build end-user applications around ESC
    • Sign files, encrypt files
    • ssh to web sites