[Freeipa-devel] design review: Certificate Profiles
Martin Kosek
mkosek at redhat.com
Fri Apr 17 12:08:29 UTC 2015
On 04/16/2015 10:03 AM, Fraser Tweedale wrote:
> Hi everyone,
>
> Please review my Certificate Profiles design proposal:
> http://www.freeipa.org/page/V4/Certificate_Profiles
>
> Let me know what is unclear, what needs expansion, and what is plain
> wrong :)
>
> The schema for storing multiple certificates for a principal is
> still being discussed but I expect it will be agreed soon, and I
> will add it to the document.
>
> I am revising the sub-CAs design proposal and it will soon be
> published for review as well.
1) here did you get this feature template? It is the one that is obsolete
(header levels, document structure, missing author in the box)... This is the
right template:
http://www.freeipa.org/page/Feature_template
2) I miss certprofile-find command - to enable Web UI and/or CLI to search
through existing profiles.
3) Permissions
So your plan is to allow different groups use different profiles? So there
would be for example profiles allowed to all users (something like
userCattegory:all that we use for HBAC/SUDO)? How do you plan to deal with
authorization? Will be on a FreeIPA framework level or for example by DS ACIs
that would simply not show the profiles?
4) Searching for certificates by profile - FEEDBACK REQUIRED
It would be nice to incorporate this filter to current cert-find command.
5) Default set of profiles
Should we also propose a basic set of canned profiles so that I can picture
what will be the possibilities?
Would it be something like
* Server profile
* Client profile
6) Upgrades
It may happen that FreeIPA needs to upgrade defaults of a canned profile. It
would be nice to have a section how it would do it.
This is all I could think of so far.
More information about the Freeipa-devel
mailing list