Re: [keycloak-dev] Certificate Management, Directory Services and Device Registration
On 12/20/2013 02:32 PM, Bill Burke wrote:
On 12/20/2013 3:23 PM, Anil Saldhana wrote:
> Bill brought out some thoughts in my mind which I want to capture here
> to see what your thoughts are:
>
> * Certificate Management
> - We need a good system to CRUD certificates. The only good Java based
> oss I have seen is EJBCA.
>
Becoming a CA is way down the road, but my thoughts were that a realm
could just create client-certs signed with the realm's keypair using
Bouncycastle APIs. There would be an option to download the truststore
for the realm (for Java apps). And a text pkcs format (forget the
actual name) for non-Java apps.
Good idea. But having a CA that helps users manage
their certificates
within a particular corporate domain, may be important for an integrated
solution.
CRUD/export-import truststores/keystores.
> * Directory Server/Services
> - We have ApacheDS and OpenDS (or the ForgeRock version) as two
> possibilities in Java based directory servers. I am unsure if we have
> really explored building a solution for directory services.
>
This is more part of federation no? We need to brainstorm how we want
to approach federation. There's some who think the current Picketlink
approach won't work and that other security products out there do
syncing. Maybe we'll have to do both. I have some architectural ideas
around this.
Great. I am glad you are thinking along these lines. I will be
looking
out for your architectural ideas. Like the other reply I sent, what is
really missing in the OSS world, is an integrated platform such as the
Active Directory ecosystem.
To summarize, it makes sense to have an integrated, administered
solution that is hopefully written in Java (no OS/Native issues) that
helps the modern enterprise that deal with REST/Mobile client usecases.