I have looked at the SROS2 tooling provided with foxy and on github
It feels like the command line tooling is currently designed to set up demo keystores with demo keys but does not seem fit to be used in a productive environment. A security professional will be able to manually create the keys and certificates needed and will be able to handle them appropriately. This can be challenging for somebody with less of a security background, though.
For example, creating the node private keys at the CA is very unconventional and could have negative impacts on the security - depending on the scenario. I think support for creating CSRs on nodes to be signed at the CA should be added. This would also improve compatibility with existing CA infrastructures, which might be beneficial to organizations who prefer to use a separate CA (e.g. to make revocation easier).
Additionally, the documentation should be improved. I have seen cases where the whole keystore was copied to each machine because the user did not understand the concept, thus defeating the whole point for Access control.
I would like to hire a student to work on this, this would involve some major extensions to the existing code and most likely some refactoring. My goal is to keep the command line tooling as simple as it is know, while adding flexibility to make it easy to securely use it in production environments.
Could you advise, on how to proceed with this? Due to my background in IT-Security, I can handle it from a technical and conceptual point of view but don’t want to put effort into it before discussing the general idea with the maintainers. After all it should be merged into the repo…