[Freeipa-devel] design review: Certificate Profiles
Fraser Tweedale
ftweedal at redhat.com
Mon Apr 27 14:30:46 UTC 2015
On Fri, Apr 17, 2015 at 02:08:29PM +0200, Martin Kosek wrote:
> On 04/16/2015 10:03 AM, Fraser Tweedale wrote:
> >Hi everyone,
> >
> >Please review my Certificate Profiles design proposal:
> >http://www.freeipa.org/page/V4/Certificate_Profiles
> >
> >Let me know what is unclear, what needs expansion, and what is plain
> >wrong :)
> >
> >The schema for storing multiple certificates for a principal is
> >still being discussed but I expect it will be agreed soon, and I
> >will add it to the document.
> >
> >I am revising the sub-CAs design proposal and it will soon be
> >published for review as well.
>
> 1) here did you get this feature template? It is the one that is obsolete
> (header levels, document structure, missing author in the box)... This is
> the right template:
> http://www.freeipa.org/page/Feature_template
>
I saw you updated the formatting and added the `certprofile-mod`
command - thanks!
> 2) I miss certprofile-find command - to enable Web UI and/or CLI to search
> through existing profiles.
>
The command will exist, but it is still missing from design page; I
will add it.
> 3) Permissions
> So your plan is to allow different groups use different profiles? So there
> would be for example profiles allowed to all users (something like
> userCattegory:all that we use for HBAC/SUDO)? How do you plan to deal with
> authorization? Will be on a FreeIPA framework level or for example by DS
> ACIs that would simply not show the profiles?
>
The design is living in the sub-CAs proposal. The discussion is
ongoing (in another thread).
> 4) Searching for certificates by profile - FEEDBACK REQUIRED
> It would be nice to incorporate this filter to current cert-find command.
>
I added `cert-find` and the filter.
> 5) Default set of profiles
> Should we also propose a basic set of canned profiles so that I can picture
> what will be the possibilities?
>
> Would it be something like
> * Server profile
> * Client profile
>
We will have a set of included profiles:
- The current caIPAserverCert profile (we will rebrand it; "TLS
Server and Client Profile" or something)
- One for TLS server auth *without* client auth.
- User authentication
I will include this in design page.
> 6) Upgrades
> It may happen that FreeIPA needs to upgrade defaults of a canned profile. It
> would be nice to have a section how it would do it.
>
Should be trivial; I have added some commentary to design page.
> This is all I could think of so far.
>
Thanks for your feedback!
More information about the Freeipa-devel
mailing list