There is a surge of tooling aimed at production secret management, this has pros but there is a real danger that the standards around cert management are thrown deeper into flux as a result? Just me?
I'm excited to see more work being done to empower small engineering teams to take advantage of certificates. Lemur looks great, though many smaller organizations may find tools like "xca" to be adequate. xca is a simple GUI for certificate management: http://xca.sourceforge.net/
I don't know xca and I hope that it is a good project. Seeing a sourceforge link after the flack from the last few months makes me somewhat skeptical of the content on the other end though.
I had a bad taste in my mouth too. It's kind of crazy that we as developers have a tarnished view of open source code due to where the repository is hosted. If GitHub/Bitbucket start bundling malware into binaries one day will we tarnish all of the developers/companies open sourcing there too? I don't for a second anticipate it happening, but I'm sourceforge was considered great back in its hayday.
> If GitHub/Bitbucket start bundling malware into binaries one day will we tarnish all of the developers/companies open sourcing there too?
Yes. And hopefully that would be an impetus to move were that to happen. Any repo at one location that was at SF the day prior, and I knew they moves, immediately looks better in my eyes, because they are no longer helping support that system.
> empower small engineering teams to take advantage of certificates
Dumb question: I'm an engineer who doesn't understand certificates outside of the basics of SSL. What are some cool things a small engineering team could do with Lemur (or certs in general)?
For one example, deploy servers and have them already verified, so a new box that you know you personally set up will not give a warning [1]. One of the most underutilized parts of SSL certificates is that you can verify who /you/ are, so any kind of server, including webservers, don't need passwords, because they already have the invite list [2]. This part is admittedly a lot crunchier than the first example because people haven't spent nearly enough time getting it working nicely. Basically, good use of certs can replace a lot of systems where you know what it is and they know what you are.
In addition to sanddancers comment, you can also do things like:
- issue ephemeral certificates (with expiration in the near future) to allow a machine to perform an action but only for a certain amount of time (for example: to fetch credentials from a source to store in memory during machine provisioning).
- use client certificates to authenticate your end-users for secure web apps.
- easily build machine-to-machine trust models that take commercial CAs out of the picture
I dont think its strange.
the windows world has solved a lot of these issues - its other issues it hasn't solved that generally make people go to other platforms.
AD setups are actually pretty complete if you ask me. Heck, OpenLDAP is a lot to setup vs AD. Same for cert management. User management. Machine management. Kerberos that works (since most don't even understand it: its a ticketing authentication system - the thing we keep recreating and calling it something else).
It goes a long way - and I'm glad more tools are coming to narrow these gaps!
While I have no doubt that the channels Lemur is using are fairly secure, why is the key ever leaving the box from which is is going to be used?
If you have the OpenSSL utility, you can generate the certificates right on the box where you're going to use the cert, and only have to move around the public portions of the key. It seems like it would be fairly trivial for Lemur to do with just a SSH shell, or an agent.
With a lot of IaaS environments you don't have direct access to the box doing TLS termination. In our case since we heavily use AWS ELBs, generating certificates directly on the box isn't an option. Moreover when you need to deploy onto many servers you generally run into the same issues with moving keys around that Lemur attempts to make easier/safer.
Shameless plug, if you have composehub installed, you can just do "ch run lemur" and it will download and run lemur for you on your machine. You just need docker installed on your machine https://composehub.com/package/lemur
Wow, they really buried the lede! 'Netflix is pleased to announce […] Lemur!', then 893 words with a workflow diagram for things that aren't Lemur, then finally 'Lemur is a …'.
Would be great to be able to just send a CSR (my workflows would be less manual). Also, the plugin model doesn't seem to provide any way to implement a certificate issuing policy (this person can issue certs under this intermediate with this CN etc etc). Would that be something that might be possible in the future (PRs accepted is a valid answer here :))
I admire that at announcement time they already have a neat name and mascot that distinguishes this project and makes it more memorable.
But I fear it might be a little close to an existing open source project also using a little lemur dude graphic... http://www.lemurproject.org/
22 comments
[ 2.6 ms ] story [ 53.3 ms ] thread*: There are small teams with expert in x509. Most don't have such a luxury. For them to get certs right is near impossible.
Yes. And hopefully that would be an impetus to move were that to happen. Any repo at one location that was at SF the day prior, and I knew they moves, immediately looks better in my eyes, because they are no longer helping support that system.
Dumb question: I'm an engineer who doesn't understand certificates outside of the basics of SSL. What are some cool things a small engineering team could do with Lemur (or certs in general)?
[1] https://www.digitalocean.com/community/tutorials/how-to-crea...
[2] http://nategood.com/client-side-certificate-authentication-i...
https://technet.microsoft.com/en-us/library/cc731564.aspx
AD setups are actually pretty complete if you ask me. Heck, OpenLDAP is a lot to setup vs AD. Same for cert management. User management. Machine management. Kerberos that works (since most don't even understand it: its a ticketing authentication system - the thing we keep recreating and calling it something else).
It goes a long way - and I'm glad more tools are coming to narrow these gaps!
If you have the OpenSSL utility, you can generate the certificates right on the box where you're going to use the cert, and only have to move around the public portions of the key. It seems like it would be fairly trivial for Lemur to do with just a SSH shell, or an agent.
Someone care to edumacate me?
0 - https://github.com/cloudflare/cfssl
[0] https://www.tinycert.org/