[Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation
Ben Lipton
blipton at redhat.com
Mon Jul 25 16:09:49 UTC 2016
On 07/25/2016 12:03 PM, Simo Sorce wrote:
> On Mon, 2016-07-25 at 18:05 +0300, Alexander Bokovoy wrote:
>>> But maybe I'm not seeing the proper priorities here. Perhaps it's
>> more
>>> of a problem because clients are easier to update with bugfixes than
>>> the server? Or maybe the preference for the client is for
>> scalability
>>> reasons? Could you tell me more about why you prefer a client
>>> implementation?
>> Making client responsible for generating the certificate signing
>> request serves several purposes where privacy is one of main benefits:
>> access to private key stays at the client side.
> I would definitely veto any scheme where the client must send the
> private key to the server. I thought the server would generate the CSR,
> but then it would be sent to the client for signing ?
>
> Simo.
>
The server generates the data and formats it for the helper tool. The
helper runs on the client and generates the CSR, with signature. I don't
think we were considering signing anything server-side; in this thread I
was referring to whether the data should be requested and formatted on
the server or client side.
More information about the Freeipa-devel
mailing list