[Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation
Alexander Bokovoy
abokovoy at redhat.com
Mon Jul 25 15:05:20 UTC 2016
On Mon, 25 Jul 2016, Ben Lipton wrote:
>On 07/25/2016 05:07 AM, Simo Sorce wrote:
>>On Mon, 2016-07-25 at 10:50 +0200, Jan Cholasta wrote:
>>>Anyway, my main grudge is that the transformation rules shouldn't
>>>really
>>>be stored on and processed by the server. The server should know the
>>>*what* (mapping rules), but not the *how* (transformation rules). The
>>>*how* is an implementation detail and does not change in time, so
>>>there's no benefit in handling it on the server. It should be handled
>>>exclusively on the client, which I believe would also make the whole
>>>thing more robust (it would not be possible for a bug on the server
>>>to
>>>break all the clients).
>>W/o entering in specific +1 as a general comment on this.
>>If it can be done on the client, probably better be done there.
>>
>>Simo.
>>
>My thinking was that while the CSR generation must be done on the
>client, the retrieval and formatting of the data for the CSR should be
>done on the server, so that the functionality is available to all
>consumers of the API (ipa command-line, certmonger, Web UI, something
>else?). I imagine it would be relatively easy to move the formatting
>stuff into the ipa CLI, but all the other clients would then need an
>implementation of their own, and so we'd need to worry about
>interpreting the templates and generating CSRs in multiple different
>languages. It's true that as it stands a bug on the server could break
>all the clients, but on the other hand there's only one implementation
>to maintain, rather than a different one in each client.
For other clients we would need to worry about CSR, not generating them.
For them we *could* make use of the fact that IPA server is IPA client
as well and provide some API to create CSR based on a pre-defined
request type (e.g. don't support all CSR backends, just one, like
python-cryptography). That wouldn't be too flexible but for flexibility
we already accept CSRs generated by someone else.
>But maybe I'm not seeing the proper priorities here. Perhaps it's more
>of a problem because clients are easier to update with bugfixes than
>the server? Or maybe the preference for the client is for scalability
>reasons? Could you tell me more about why you prefer a client
>implementation?
Making client responsible for generating the certificate signing
request serves several purposes where privacy is one of main benefits:
access to private key stays at the client side.
>(And yeah, everything here carries a disclaimer of "I probably can't
>make any large changes in the remaining 3 weeks of my internship," but
>I think it's still good to know and document what the limitations of
>the current implementation are.)
Agreed.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list