[Freeipa-devel] Revoking user/service/host certificates
Martin Kosek
mkosek at redhat.com
Mon May 18 09:51:41 UTC 2015
Hi Fraser (and list),
Recently, we have proposed 2 new policies for treating user/host/service
certificates based on the per-profile policy:
a) If certificate is stored in userCertificate attribute
b) If the certificate is stored and object deleted/disabled, if the certificate
should be also revoked
Details in:
http://www.freeipa.org/page/V4/User_Certificates#Configuration
a) is straightforward. However, I was not thinking more about case b). When
object is deleted/disabled, how will framework tell what is the profile to
check the policy?
Will it ask Dogtag via some API call? Or will the profile me stored in the
certificate itself, just like MS CA does for some certificates?
Thanks.
--
Martin Kosek <mkosek at redhat.com>
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
More information about the Freeipa-devel
mailing list