From Anil.Saldhana at redhat.com Thu Jul 3 12:41:26 2014 From: Anil.Saldhana at redhat.com (Anil Saldhana) Date: Thu, 03 Jul 2014 11:41:26 -0500 Subject: [security-dev] PicketLink and Certificate Management API In-Reply-To: <1267728837.493752.1403116509381.JavaMail.zimbra@redhat.com> References: <1665472278.480908.1403116120916.JavaMail.zimbra@redhat.com> <978682432.485880.1403116350549.JavaMail.zimbra@redhat.com> <1267728837.493752.1403116509381.JavaMail.zimbra@redhat.com> Message-ID: <53B587B6.2070607@redhat.com> Pedro, if the partition can perform the tasks of a CA, that is fine. But we need a separate independent code base to do the Certificate Management. We may have a circular dependency here because the Cert Mgmt stuff may want to use PL IDM to interact with the data stores - file, ldap,DB. :) Regards, Anil On 06/18/2014 01:35 PM, Pedro Igor Silva wrote: > Yeah, that is the idea too. Giriraj Sharma wants to help us in the future to provide an UI based on that. > > ----- Original Message ----- > From: "Pedro Igor Silva" > To: "security-dev >> \"security-dev" > Sent: Wednesday, June 18, 2014 3:32:30 PM > Subject: Re: [security-dev] PicketLink and Certificate Management API > > Sorry, the there was a error on the example. This is the correct code: > > X509Certificate userCert = authority.issue(certRequest); // issue a cert for user and sign it with the CA key > > > > ----- Original Message ----- > From: "Pedro Igor Silva" > To: "security-dev >> \"security-dev" > Sent: Wednesday, June 18, 2014 3:28:40 PM > Subject: [security-dev] PicketLink and Certificate Management API > > Hi, > > We're looking to provide a API to easily enable Key and Certificate Management to PicketLink-based applications. > > The idea is turn a partition into a Certification Authority, responsible for issue, validate, revoke and renew certificates for the identity types (eg.: users, devices, etc) associated with it. > > In the future, we also want to provide: > > - RESTful Endpoints to perform not only certificate operations, but also manage keys. Specially public keys. Probably using JSON Web Keys (JWK). > - Better support for html5 and mobile applications that require some kind of support for certificates, assymetric keys, signature and encryption. Specially when using JWT and JOSE. > - Support Java KeyStores to load and store keys. > > So far we did something like: > > CertificateConfig config = new DefaultCertificateConfig(); > > // set config with signature algo, cert sign algo, default validity, bit length, etc > > // create a CA based on a existing partition > CertificateAuthority authority = new DefaultCertificateAuthority(partition, config); > > User user = // get user > > CertificateRequest certRequest = new DefaultCertificateRequest(user, config) > > X509Certificate userCert = ca.issue(certRequest); // issue a cert for user and sign it with the CA key > > We're still working on it. But would like to check your feedback or opinions about requirements and use cases. > > Regards. > Pedro Igor From psilva at redhat.com Thu Jul 3 20:43:35 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 3 Jul 2014 20:43:35 -0400 (EDT) Subject: [security-dev] PicketLink and Certificate Management API In-Reply-To: <53B587B6.2070607@redhat.com> References: <1665472278.480908.1403116120916.JavaMail.zimbra@redhat.com> <978682432.485880.1403116350549.JavaMail.zimbra@redhat.com> <1267728837.493752.1403116509381.JavaMail.zimbra@redhat.com> <53B587B6.2070607@redhat.com> Message-ID: <1538047878.2978811.1404434615553.JavaMail.zimbra@redhat.com> The motivation behind partition performing CA tasks is that partitions are in essence security domains or realms. We are already working in an independent code base for cert and key mgmt. ----- Original Message ----- From: "Anil Saldhana" To: security-dev at lists.jboss.org Sent: Thursday, July 3, 2014 1:41:26 PM Subject: Re: [security-dev] PicketLink and Certificate Management API Pedro, if the partition can perform the tasks of a CA, that is fine. But we need a separate independent code base to do the Certificate Management. We may have a circular dependency here because the Cert Mgmt stuff may want to use PL IDM to interact with the data stores - file, ldap,DB. :) Regards, Anil On 06/18/2014 01:35 PM, Pedro Igor Silva wrote: > Yeah, that is the idea too. Giriraj Sharma wants to help us in the future to provide an UI based on that. > > ----- Original Message ----- > From: "Pedro Igor Silva" > To: "security-dev >> \"security-dev" > Sent: Wednesday, June 18, 2014 3:32:30 PM > Subject: Re: [security-dev] PicketLink and Certificate Management API > > Sorry, the there was a error on the example. This is the correct code: > > X509Certificate userCert = authority.issue(certRequest); // issue a cert for user and sign it with the CA key > > > > ----- Original Message ----- > From: "Pedro Igor Silva" > To: "security-dev >> \"security-dev" > Sent: Wednesday, June 18, 2014 3:28:40 PM > Subject: [security-dev] PicketLink and Certificate Management API > > Hi, > > We're looking to provide a API to easily enable Key and Certificate Management to PicketLink-based applications. > > The idea is turn a partition into a Certification Authority, responsible for issue, validate, revoke and renew certificates for the identity types (eg.: users, devices, etc) associated with it. > > In the future, we also want to provide: > > - RESTful Endpoints to perform not only certificate operations, but also manage keys. Specially public keys. Probably using JSON Web Keys (JWK). > - Better support for html5 and mobile applications that require some kind of support for certificates, assymetric keys, signature and encryption. Specially when using JWT and JOSE. > - Support Java KeyStores to load and store keys. > > So far we did something like: > > CertificateConfig config = new DefaultCertificateConfig(); > > // set config with signature algo, cert sign algo, default validity, bit length, etc > > // create a CA based on a existing partition > CertificateAuthority authority = new DefaultCertificateAuthority(partition, config); > > User user = // get user > > CertificateRequest certRequest = new DefaultCertificateRequest(user, config) > > X509Certificate userCert = ca.issue(certRequest); // issue a cert for user and sign it with the CA key > > We're still working on it. But would like to check your feedback or opinions about requirements and use cases. > > Regards. > Pedro Igor _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From bburke at redhat.com Fri Jul 4 10:46:41 2014 From: bburke at redhat.com (Bill Burke) Date: Fri, 04 Jul 2014 10:46:41 -0400 Subject: [security-dev] PicketLink and Certificate Management API In-Reply-To: <1538047878.2978811.1404434615553.JavaMail.zimbra@redhat.com> References: <1665472278.480908.1403116120916.JavaMail.zimbra@redhat.com> <978682432.485880.1403116350549.JavaMail.zimbra@redhat.com> <1267728837.493752.1403116509381.JavaMail.zimbra@redhat.com> <53B587B6.2070607@redhat.com> <1538047878.2978811.1404434615553.JavaMail.zimbra@redhat.com> Message-ID: <53B6BE51.5040800@redhat.com> Would be nice if CA could be as separate as possible from PL IDM API. Then we could use it in Keycloak. On 7/3/2014 8:43 PM, Pedro Igor Silva wrote: > The motivation behind partition performing CA tasks is that partitions are in essence security domains or realms. > > We are already working in an independent code base for cert and key mgmt. > > ----- Original Message ----- > From: "Anil Saldhana" > To: security-dev at lists.jboss.org > Sent: Thursday, July 3, 2014 1:41:26 PM > Subject: Re: [security-dev] PicketLink and Certificate Management API > > Pedro, > if the partition can perform the tasks of a CA, that is fine. > > But we need a separate independent code base to do the Certificate > Management. > > We may have a circular dependency here because the Cert Mgmt stuff may > want to use PL IDM to interact with the data stores - file, ldap,DB. :) > > Regards, > Anil > > On 06/18/2014 01:35 PM, Pedro Igor Silva wrote: >> Yeah, that is the idea too. Giriraj Sharma wants to help us in the future to provide an UI based on that. >> >> ----- Original Message ----- >> From: "Pedro Igor Silva" >> To: "security-dev >> \"security-dev" >> Sent: Wednesday, June 18, 2014 3:32:30 PM >> Subject: Re: [security-dev] PicketLink and Certificate Management API >> >> Sorry, the there was a error on the example. This is the correct code: >> >> X509Certificate userCert = authority.issue(certRequest); // issue a cert for user and sign it with the CA key >> >> >> >> ----- Original Message ----- >> From: "Pedro Igor Silva" >> To: "security-dev >> \"security-dev" >> Sent: Wednesday, June 18, 2014 3:28:40 PM >> Subject: [security-dev] PicketLink and Certificate Management API >> >> Hi, >> >> We're looking to provide a API to easily enable Key and Certificate Management to PicketLink-based applications. >> >> The idea is turn a partition into a Certification Authority, responsible for issue, validate, revoke and renew certificates for the identity types (eg.: users, devices, etc) associated with it. >> >> In the future, we also want to provide: >> >> - RESTful Endpoints to perform not only certificate operations, but also manage keys. Specially public keys. Probably using JSON Web Keys (JWK). >> - Better support for html5 and mobile applications that require some kind of support for certificates, assymetric keys, signature and encryption. Specially when using JWT and JOSE. >> - Support Java KeyStores to load and store keys. >> >> So far we did something like: >> >> CertificateConfig config = new DefaultCertificateConfig(); >> >> // set config with signature algo, cert sign algo, default validity, bit length, etc >> >> // create a CA based on a existing partition >> CertificateAuthority authority = new DefaultCertificateAuthority(partition, config); >> >> User user = // get user >> >> CertificateRequest certRequest = new DefaultCertificateRequest(user, config) >> >> X509Certificate userCert = ca.issue(certRequest); // issue a cert for user and sign it with the CA key >> >> We're still working on it. But would like to check your feedback or opinions about requirements and use cases. >> >> Regards. >> Pedro Igor > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From asaldhan at redhat.com Fri Jul 4 11:58:53 2014 From: asaldhan at redhat.com (Anil Saldhana) Date: Fri, 4 Jul 2014 11:58:53 -0400 (EDT) Subject: [security-dev] PicketLink and Certificate Management API In-Reply-To: <53B6BE51.5040800@redhat.com> References: <1665472278.480908.1403116120916.JavaMail.zimbra@redhat.com> <978682432.485880.1403116350549.JavaMail.zimbra@redhat.com> <1267728837.493752.1403116509381.JavaMail.zimbra@redhat.com> <53B587B6.2070607@redhat.com> <1538047878.2978811.1404434615553.JavaMail.zimbra@redhat.com> <53B6BE51.5040800@redhat.com> Message-ID: <35503A57-E5F5-414D-BADF-31EE87FA0037@redhat.com> CA is an independent set of libraries. Projects will be able to use them separately. If the certificates have to be stored in a data store such as db,ldap then it is better to use the PL IDM as an implementation detail. > On Jul 4, 2014, at 9:46 AM, Bill Burke wrote: > > Would be nice if CA could be as separate as possible from PL IDM API. > Then we could use it in Keycloak. > >> On 7/3/2014 8:43 PM, Pedro Igor Silva wrote: >> The motivation behind partition performing CA tasks is that partitions are in essence security domains or realms. >> >> We are already working in an independent code base for cert and key mgmt. >> >> ----- Original Message ----- >> From: "Anil Saldhana" >> To: security-dev at lists.jboss.org >> Sent: Thursday, July 3, 2014 1:41:26 PM >> Subject: Re: [security-dev] PicketLink and Certificate Management API >> >> Pedro, >> if the partition can perform the tasks of a CA, that is fine. >> >> But we need a separate independent code base to do the Certificate >> Management. >> >> We may have a circular dependency here because the Cert Mgmt stuff may >> want to use PL IDM to interact with the data stores - file, ldap,DB. :) >> >> Regards, >> Anil >> >>> On 06/18/2014 01:35 PM, Pedro Igor Silva wrote: >>> Yeah, that is the idea too. Giriraj Sharma wants to help us in the future to provide an UI based on that. >>> >>> ----- Original Message ----- >>> From: "Pedro Igor Silva" >>> To: "security-dev >> \"security-dev" >>> Sent: Wednesday, June 18, 2014 3:32:30 PM >>> Subject: Re: [security-dev] PicketLink and Certificate Management API >>> >>> Sorry, the there was a error on the example. This is the correct code: >>> >>> X509Certificate userCert = authority.issue(certRequest); // issue a cert for user and sign it with the CA key >>> >>> >>> >>> ----- Original Message ----- >>> From: "Pedro Igor Silva" >>> To: "security-dev >> \"security-dev" >>> Sent: Wednesday, June 18, 2014 3:28:40 PM >>> Subject: [security-dev] PicketLink and Certificate Management API >>> >>> Hi, >>> >>> We're looking to provide a API to easily enable Key and Certificate Management to PicketLink-based applications. >>> >>> The idea is turn a partition into a Certification Authority, responsible for issue, validate, revoke and renew certificates for the identity types (eg.: users, devices, etc) associated with it. >>> >>> In the future, we also want to provide: >>> >>> - RESTful Endpoints to perform not only certificate operations, but also manage keys. Specially public keys. Probably using JSON Web Keys (JWK). >>> - Better support for html5 and mobile applications that require some kind of support for certificates, assymetric keys, signature and encryption. Specially when using JWT and JOSE. >>> - Support Java KeyStores to load and store keys. >>> >>> So far we did something like: >>> >>> CertificateConfig config = new DefaultCertificateConfig(); >>> >>> // set config with signature algo, cert sign algo, default validity, bit length, etc >>> >>> // create a CA based on a existing partition >>> CertificateAuthority authority = new DefaultCertificateAuthority(partition, config); >>> >>> User user = // get user >>> >>> CertificateRequest certRequest = new DefaultCertificateRequest(user, config) >>> >>> X509Certificate userCert = ca.issue(certRequest); // issue a cert for user and sign it with the CA key >>> >>> We're still working on it. But would like to check your feedback or opinions about requirements and use cases. >>> >>> Regards. >>> Pedro Igor >> _______________________________________________ >> security-dev mailing list >> security-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/security-dev >> _______________________________________________ >> security-dev mailing list >> security-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/security-dev > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Sat Jul 5 06:26:01 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Sat, 5 Jul 2014 06:26:01 -0400 (EDT) Subject: [security-dev] PicketLink and Certificate Management API In-Reply-To: <35503A57-E5F5-414D-BADF-31EE87FA0037@redhat.com> References: <1665472278.480908.1403116120916.JavaMail.zimbra@redhat.com> <978682432.485880.1403116350549.JavaMail.zimbra@redhat.com> <1267728837.493752.1403116509381.JavaMail.zimbra@redhat.com> <53B587B6.2070607@redhat.com> <1538047878.2978811.1404434615553.JavaMail.zimbra@redhat.com> <53B6BE51.5040800@redhat.com> <35503A57-E5F5-414D-BADF-31EE87FA0037@redhat.com> Message-ID: <2010461148.3299419.1404555961078.JavaMail.zimbra@redhat.com> We can do something similar as you did in KC, a SPI that you can extend to plug different storage providers. Bill, would be nice if you could provide some more input about KC cert and key mgmt requirements. ----- Original Message ----- From: "Anil Saldhana" To: "Bill Burke" Cc: security-dev at lists.jboss.org Sent: Friday, July 4, 2014 12:58:53 PM Subject: Re: [security-dev] PicketLink and Certificate Management API CA is an independent set of libraries. Projects will be able to use them separately. If the certificates have to be stored in a data store such as db,ldap then it is better to use the PL IDM as an implementation detail. > On Jul 4, 2014, at 9:46 AM, Bill Burke wrote: > > Would be nice if CA could be as separate as possible from PL IDM API. > Then we could use it in Keycloak. > >> On 7/3/2014 8:43 PM, Pedro Igor Silva wrote: >> The motivation behind partition performing CA tasks is that partitions are in essence security domains or realms. >> >> We are already working in an independent code base for cert and key mgmt. >> >> ----- Original Message ----- >> From: "Anil Saldhana" >> To: security-dev at lists.jboss.org >> Sent: Thursday, July 3, 2014 1:41:26 PM >> Subject: Re: [security-dev] PicketLink and Certificate Management API >> >> Pedro, >> if the partition can perform the tasks of a CA, that is fine. >> >> But we need a separate independent code base to do the Certificate >> Management. >> >> We may have a circular dependency here because the Cert Mgmt stuff may >> want to use PL IDM to interact with the data stores - file, ldap,DB. :) >> >> Regards, >> Anil >> >>> On 06/18/2014 01:35 PM, Pedro Igor Silva wrote: >>> Yeah, that is the idea too. Giriraj Sharma wants to help us in the future to provide an UI based on that. >>> >>> ----- Original Message ----- >>> From: "Pedro Igor Silva" >>> To: "security-dev >> \"security-dev" >>> Sent: Wednesday, June 18, 2014 3:32:30 PM >>> Subject: Re: [security-dev] PicketLink and Certificate Management API >>> >>> Sorry, the there was a error on the example. This is the correct code: >>> >>> X509Certificate userCert = authority.issue(certRequest); // issue a cert for user and sign it with the CA key >>> >>> >>> >>> ----- Original Message ----- >>> From: "Pedro Igor Silva" >>> To: "security-dev >> \"security-dev" >>> Sent: Wednesday, June 18, 2014 3:28:40 PM >>> Subject: [security-dev] PicketLink and Certificate Management API >>> >>> Hi, >>> >>> We're looking to provide a API to easily enable Key and Certificate Management to PicketLink-based applications. >>> >>> The idea is turn a partition into a Certification Authority, responsible for issue, validate, revoke and renew certificates for the identity types (eg.: users, devices, etc) associated with it. >>> >>> In the future, we also want to provide: >>> >>> - RESTful Endpoints to perform not only certificate operations, but also manage keys. Specially public keys. Probably using JSON Web Keys (JWK). >>> - Better support for html5 and mobile applications that require some kind of support for certificates, assymetric keys, signature and encryption. Specially when using JWT and JOSE. >>> - Support Java KeyStores to load and store keys. >>> >>> So far we did something like: >>> >>> CertificateConfig config = new DefaultCertificateConfig(); >>> >>> // set config with signature algo, cert sign algo, default validity, bit length, etc >>> >>> // create a CA based on a existing partition >>> CertificateAuthority authority = new DefaultCertificateAuthority(partition, config); >>> >>> User user = // get user >>> >>> CertificateRequest certRequest = new DefaultCertificateRequest(user, config) >>> >>> X509Certificate userCert = ca.issue(certRequest); // issue a cert for user and sign it with the CA key >>> >>> We're still working on it. But would like to check your feedback or opinions about requirements and use cases. >>> >>> Regards. >>> Pedro Igor >> _______________________________________________ >> security-dev mailing list >> security-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/security-dev >> _______________________________________________ >> security-dev mailing list >> security-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/security-dev > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From sbryzak at redhat.com Sun Jul 6 22:26:29 2014 From: sbryzak at redhat.com (Shane Bryzak) Date: Mon, 07 Jul 2014 10:26:29 +0800 Subject: [security-dev] Securing your app with PicketLink and DeltaSpike Message-ID: <53BA0555.2050306@redhat.com> http://in.relation.to/Bloggers/SecuringYourApplicationsWithPicketLinkAndDeltaSpike From asaldhan at redhat.com Sun Jul 6 22:44:41 2014 From: asaldhan at redhat.com (Anil Saldhana) Date: Sun, 6 Jul 2014 22:44:41 -0400 (EDT) Subject: [security-dev] Securing your app with PicketLink and DeltaSpike In-Reply-To: <53BA0555.2050306@redhat.com> References: <53BA0555.2050306@redhat.com> Message-ID: We can also post a copy on the PL website. Great article, Shane. > On Jul 6, 2014, at 9:26 PM, Shane Bryzak wrote: > > http://in.relation.to/Bloggers/SecuringYourApplicationsWithPicketLinkAndDeltaSpike > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Mon Jul 7 09:40:30 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 7 Jul 2014 09:40:30 -0400 (EDT) Subject: [security-dev] Securing your app with PicketLink and DeltaSpike In-Reply-To: References: <53BA0555.2050306@redhat.com> Message-ID: <1344064124.3782151.1404740430510.JavaMail.zimbra@redhat.com> Site updated, http://picketlink.org/gettingstarted/ ----- Original Message ----- From: "Anil Saldhana" To: "Shane Bryzak" Cc: security-dev at lists.jboss.org Sent: Sunday, July 6, 2014 11:44:41 PM Subject: Re: [security-dev] Securing your app with PicketLink and DeltaSpike We can also post a copy on the PL website. Great article, Shane. > On Jul 6, 2014, at 9:26 PM, Shane Bryzak wrote: > > http://in.relation.to/Bloggers/SecuringYourApplicationsWithPicketLinkAndDeltaSpike > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev