39 lines
1.9 KiB
YAML
39 lines
1.9 KiB
YAML
---
|
|
prelude: >
|
|
This release notify that we will remove Certificate Orders and CAs from API.
|
|
deprecations:
|
|
- Certificate Orders
|
|
- CAs
|
|
other:
|
|
- Why are we deprecating Certificate Issuance?
|
|
There are a few reasons that were considered for this decision. First,
|
|
there does not seem to be a lot of interest in the community to fully
|
|
develop the Certificate Authority integration with Barbican. We have a
|
|
few outstanding blueprints that are needed to make Certificate Issuance
|
|
fully functional, but so far no one has committed to getting the work
|
|
done. Additionally, we've had very little buy-in from public
|
|
Certificate Authorities. Both Symantec and Digicert were interested in
|
|
integration in the past, but that interest didn't materialize into
|
|
robust CA plugins like we hoped it would.
|
|
|
|
Secondly, there have been new developments in the space of Certificate
|
|
Authorities since we started Barbican. The most significant of these
|
|
was the launch of the Let's Encrypt public CA along with the definition
|
|
of the ACME protocol for certificate issuance. We believe that future
|
|
certificate authority services would do good to implement the ACME
|
|
standard, which is quite different than the API the Barbican team had
|
|
developed.
|
|
|
|
Lastly, deprecating Certificate Issuance within Barbican will simplify
|
|
both the architecture and deployment of Barbican. This will allow us to
|
|
focus on the features that Barbican does well -- the secure storage of
|
|
secret material.
|
|
|
|
- Will Barbican still be able to store Certificates?
|
|
|
|
Yes, absolutely! The only thing we're deprecating is the plugin
|
|
interface that talks to Certificate Authorities and associated APIs.
|
|
While you will not be able to use Barbican to issue a new certificate,
|
|
you will always be able to securely store any certificates in Barbican,
|
|
including those issued by public CAs or internal CAs.
|