[Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation
Simo Sorce
simo at redhat.com
Mon Jul 25 16:03:27 UTC 2016
On Mon, 2016-07-25 at 18:05 +0300, Alexander Bokovoy wrote:
> >But maybe I'm not seeing the proper priorities here. Perhaps it's
> more
> >of a problem because clients are easier to update with bugfixes than
> >the server? Or maybe the preference for the client is for
> scalability
> >reasons? Could you tell me more about why you prefer a client
> >implementation?
> Making client responsible for generating the certificate signing
> request serves several purposes where privacy is one of main benefits:
> access to private key stays at the client side.
I would definitely veto any scheme where the client must send the
private key to the server. I thought the server would generate the CSR,
but then it would be sent to the client for signing ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list