[Freeipa-devel] Scope of ECC support in FreeIPA/Dogtag
Fraser Tweedale
ftweedal at redhat.com
Tue Sep 15 13:26:55 UTC 2015
On Tue, Sep 15, 2015 at 02:10:57PM +0200, Martin Kosek wrote:
> Hi Nathan and others,
>
> I am now going through FreeIPA 4.4 items and I am thinking about ECC support in
> FreeIPA:
>
> https://fedorahosted.org/freeipa/ticket/3951
>
> AFAIK, ECC should be already supported in Dogtag. Could you please advise what
> is the scope of expected changes in FreeIPA?
>
> My understanding is that following parts are required:
> 1) Generating ECC signing certificate for FreeIPA CA. This is not clear to me
> though, if this task can be easily done during upgrade.
>
Lightweight (sub)CAs should allow it easily - once they support
specifying the key type and size/curve (currently subCAs are
hardcoded to rsa2048 but the subCAs are still a WIP; there is a
separate ticket[1] to track it).
There will also be a small amount of work on the IPA side - and
maybe some on Dogtag side - to allow new installation to use ECC
root.
[1] https://fedorahosted.org/pki/ticket/1589
> 2) Updating FreeIPA Certificate Profiles (which should be now in LDAP) and
> adding respective EC algorithms support to "signingAlgsAllowed", as noted in
> https://fedorahosted.org/freeipa/ticket/3951#comment:1.
>
Yes, we will need to update the included profiles. I have been
thinking about how to get more flexibility for profile updates; I
think versioning profiles is desirable but that will be a separate
design proposal.
Anyhow, I am happy to own these efforts.
Cheers,
Fraser
> Is that correct or more is needed to make that working and supported in FreeIPA?
>
> --
> Martin Kosek <mkosek at redhat.com>
> Supervisor, Software Engineering - Identity Management Team
> Red Hat Inc.
More information about the Freeipa-devel
mailing list