[Freeipa-devel] design review: Certificate Profiles

Fraser Tweedale ftweedal at redhat.com
Fri Apr 17 08:12:40 UTC 2015 

On Fri, Apr 17, 2015 at 10:03:45AM +0200, Jan Cholasta wrote:
> Dne 17.4.2015 v 09:45 Fraser Tweedale napsal(a):
> >On Fri, Apr 17, 2015 at 07:26:55AM +0200, David Kupka wrote:
> >>On 04/16/2015 10:03 AM, Fraser Tweedale wrote:
> >>>Hi everyone,
> >>>
> >>>Please review my Certificate Profiles design proposal:
> >>>http://www.freeipa.org/page/V4/Certificate_Profiles
> >>>
> >>>Let me know what is unclear, what needs expansion, and what is plain
> >>>wrong :)
> >>>
> >>>The schema for storing multiple certificates for a principal is
> >>>still being discussed but I expect it will be agreed soon, and I
> >>>will add it to the document.
> >>>
> >>>I am revising the sub-CAs design proposal and it will soon be
> >>>published for review as well.
> >>>
> >>>Cheers,
> >>>Fraser
> >>>
> >>Hi Fraser,
> >>I've read the design page and even though I know only a little about Dogtag
> >>it makes sense to me.
> >>
> >>Just a few notes:
> >>
> >>3.4 Retrieve profile - There was XML format twice (probably
> >>copy-paste-forget to modify :-) I changed it, feel free to revert the change
> >>if it was intentional.
> >>
> >>3.5 Delete profile - IMO the profile should be deleted when user requests
> >>that. If the profile must be disabled before deleted do it as a part of
> >>deletion.
> >>
> >>3.6 Enable/disable profile - When user request enabling/disabling of already
> >>enabled/disabled profile there is no need to return an error. User wants it
> >>to be enabled/disabled and it is, job done.
> 
> Actually not, we raise AlreadyActive/AlreadyInactive in this case (see e.g.
> selinuxusermap-enable).
> 
Good to know - I haven't learned about the SELinux bits yet and
probably wouldn't have found this.

> >>
> >>5.2.1 CLI - I would change the command to 'ipa certprofile-add' to stay
> >>consistent with rest of FreeIPA commands.
> >>
> >David, thanks for your input.  'certprofile-import' was chosen after
> >discussion with Honza, based on the fact the profile already exists
> >(as a file) and is being imported into the system.  Jan, do you
> >still agree with '-import'?  What do other people think?
> 
> Yes, it should be -import. -add is reserved for the case when the properties
> of the profile are specified directly in command arguments, but in -import
> they are read from the supplied file.
> 
OK, -import it stays; thanks!

> >
> >Cheers,
> >Fraser
> >
> 
> 
> -- 
> Jan Cholasta

More information about the Freeipa-devel mailing list