Friday, March 28, 2008

Dogtag -- Open Source PKI from Red Hat

Earlier this month, Red Hat announced they were open-sourcing the PKI platform they purchased from Netscape in 2004. The resulting project, Dogtag, contains an open-source version of the code used to power Red Hat Certificate System, previously known as Netscape Certificate Management Server. While Red Hat is most known for their Linux distribution (and, more recently, their JBoss middleware products), RHCS is the basis for the world's largest PKI, developed and maintained by the U.S. Department of Defense. This PKI is responsible for nearly 10 million certificates, including those issued on the DoD's Common Access Card (CAC).

So what does this mean for the open-source community at-large? Plenty. Up until now, there has been no enterprise-class, open-source PKI solution (despite the efforts of your's truly and the Odyssi PKI project). While the community often argues that PKI is too bloated and unnecessary when compared with PGP or other lightweight products, it serves as the backbone for security in many large-scale enterprises. Being able to deploy an open-source PKI is yet one more component that Red Hat is able to provide in the application stack. This, combined with their support of the FreeIPA project for providing identity, audit, and policy management, means that Red Hat is becoming an even more formidable player in the enterprise space.

I have worked extensively with Netscape CMS, the basis for RHCS. The features, scalability, and security it provides are top-notch. In fact, many of the features in CMS served as the inspiration for things I had planned for Odyssi PKI. Will I continue development of Odyssi PKI now that Dogtag is available? Maybe, maybe not. Life seems to be getting in the way of any development projects for right now. However, in the future I may have time to continue with Odyssi PKI, or even contribute to Dogtag. We'll just have to wait and see.