István Fajth created HDDS-7331:
----------------------------------
Summary: Ozone PKI improvements
Key: HDDS-7331
URL: https://issues.apache.org/jira/browse/HDDS-7331
Project: Apache Ozone
Issue Type: Improvement
Components: Security
Reporter: István Fajth
Assignee: István Fajth
Attachments: Ozone_PKI_status_and_improvements.pdf
Ozone's internal Public Key Infrastructure and its related functionalities is
incomplete, this new umbrella JIRA is created to collect and track missing
pieces.
What we miss today:
- automatic rotation of certificates before expiration
- automatic rotation of CA certificates before expiration
- certificate revocation support
- configurability
- full admin CLI support for handling certificates
- better test coverage
- we have discrepancies in SCM HA due to the necessity of a primordial node
- clear separation of concerns, we use the same certificate and keypair for
multiple reasons
Also as token signatures use the 2048 but RSA keypair generated for our
internal certificates, we suffer a performance hit due to the costly RSA
signing of tokens.
See the attached detailed document about the current system, and the planned
improvements for more details about the problems and proposed solutions.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
