[Freeipa-devel] design review: Certificate Profiles
Fraser Tweedale
ftweedal at redhat.com
Fri Apr 17 07:45:41 UTC 2015
On Fri, Apr 17, 2015 at 07:26:55AM +0200, David Kupka wrote:
> On 04/16/2015 10:03 AM, Fraser Tweedale wrote:
> >Hi everyone,
> >
> >Please review my Certificate Profiles design proposal:
> >http://www.freeipa.org/page/V4/Certificate_Profiles
> >
> >Let me know what is unclear, what needs expansion, and what is plain
> >wrong :)
> >
> >The schema for storing multiple certificates for a principal is
> >still being discussed but I expect it will be agreed soon, and I
> >will add it to the document.
> >
> >I am revising the sub-CAs design proposal and it will soon be
> >published for review as well.
> >
> >Cheers,
> >Fraser
> >
> Hi Fraser,
> I've read the design page and even though I know only a little about Dogtag
> it makes sense to me.
>
> Just a few notes:
>
> 3.4 Retrieve profile - There was XML format twice (probably
> copy-paste-forget to modify :-) I changed it, feel free to revert the change
> if it was intentional.
>
> 3.5 Delete profile - IMO the profile should be deleted when user requests
> that. If the profile must be disabled before deleted do it as a part of
> deletion.
>
> 3.6 Enable/disable profile - When user request enabling/disabling of already
> enabled/disabled profile there is no need to return an error. User wants it
> to be enabled/disabled and it is, job done.
>
> 5.2.1 CLI - I would change the command to 'ipa certprofile-add' to stay
> consistent with rest of FreeIPA commands.
>
David, thanks for your input. 'certprofile-import' was chosen after
discussion with Honza, based on the fact the profile already exists
(as a file) and is being imported into the system. Jan, do you
still agree with '-import'? What do other people think?
Cheers,
Fraser
More information about the Freeipa-devel
mailing list