Feature changed by: Bruno Friedmann (bruno_friedmann) Feature #319119, revision 19 Title: replace yast2-ca-management or drop it if not needed Requested by: Jiri Srain (jsrain) Requested by: Michael Calmer (mcalmer) Partner organization: openSUSE.org Description: yast2 ca-management is a wild combination of yast(ruby) yast (perl) c++ (swig) and and c++ lib. The main component is the libcamgm which is in C++. This lib is unmaintained since years and has a lot of downsides which can only be fixed with spending a lot of time in development into it * not FIPS compliant. It uses a lot of algorythms which are in the meantime defined as insecure and not available anymore if you turn on FIPS mode * RSA only: the lib support only RSA keys. New keys, like DSA or Elliptic Curve Keys are not supported and requires a lot of new implementation to add support for it. * openssl changes a lot: the commandline tools of openssl are not "stable". Every new version we detect something which is not working anymore and the libary needs adaption. * support for new algorythms missing / not tested: not sure if sha256 is correctly working with this lib The number of bug reports from the Enterprise customers was very low. I only had some from the openSUSE comunity. Enterprise Customers either buy there certificates at some Authority or they use other tools to manage PKIs like OpenCA. Another point is, that the yast team tries to remove the language zoo and concentrate on one programming language. With ruby, perl and c++ this module uses at least 1 too much. We should think about alternatives for yast2-ca-managent or find resources to invest in some extra development if we want to keep it for SLES13. Discussion: #1: Michael Calmer (mcalmer) (2015-10-14 15:00:45) Maybe the YaST Team wants to take over the full maintenance. If yes, please speak up. #2: Lukas Ocilka (locilka) (2015-10-14 15:49:25) (reply to #1) No, we don't, we actually can't take it as we are out of our capacities already and don't have the knowledge anyway. The problem is, that the amount of work we take care about raises faster than the amount of developers assigned to these tasks. #3: Bruno Friedmann (bruno_friedmann) (2015-10-14 17:16:49) Did you mean there will be no ca management nor for openSUSE nor for SLE ? How rude is it. #4: Howard Guo (guohouzuo) (2015-10-20 14:04:53) I really liked the CA module :( 90% of the time it works every time. It's really useful and works very well with FreeIPA. + #10: Bruno Friedmann (bruno_friedmann) (2017-03-05 10:19:22) + How hard is to create a path to migrate from yast2-ca-management (nice + tools used since years) to openCA ? If we want to drop it, as we don't + know how much users are using it, we should at least have a migration + path documented. + With the arguments given (especially the security implication), it's + seems to be clear that the tools is having (had?) its eol soon. -- openSUSE Feature: https://features.opensuse.org/319119