[Freeipa-devel] User Certificates in 4.2 - design and questions
Martin Kosek
mkosek at redhat.com
Wed May 6 06:52:10 UTC 2015
On 05/05/2015 08:38 AM, Martin Kosek wrote:
> On 05/04/2015 09:23 PM, Simo Sorce wrote:
>> On Mon, 2015-05-04 at 16:41 +0200, Martin Kosek wrote:
...
>> So I am fine *not* revoking certs automatically and instead documenting
>> best practices for certs lifecycle management (ie deleting certs when
>> not useful) and how to manually/explicitly revoke certs only when
>> actually compromised (for hosts), or when needed (user leaves
>> organization and may retain a copy of the private key, unlikly when the
>> cert was in a Smart Card which has been returned and wiped).
>
> Well, makes sense to me. I added a section to the design:
> http://www.freeipa.org/page/V4/User_Certificates#Revocation_of_the_Certificates
>
> We just need to be cautious here because this would be a change in behavior
> compared to FreeIPA 4.1 and older. Should this be another global/per-profile
> policy setting that administrator could set up?
Honza said it is a good idea off-list (well, thank you!), so I added the
proposal in the design page to make this option part of the per-profile
certificate management policy:
http://www.freeipa.org/page/V4/User_Certificates#Configuration
If there are objections, please holler.
More information about the Freeipa-devel
mailing list