[Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

[Alexander Bokovoy]

On Mon, 25 Jul 2016, Simo Sorce wrote:
>On Mon, 2016-07-25 at 12:09 -0400, Ben Lipton wrote:
>> On 07/25/2016 12:03 PM, Simo Sorce wrote:
>> > On Mon, 2016-07-25 at 18:05 +0300, Alexander Bokovoy wrote:
>> >>> But maybe I'm not seeing the proper priorities here. Perhaps it's
>> >> more
>> >>> of a problem because clients are easier to update with bugfixes than
>> >>> the server? Or maybe the preference for the client is for
>> >> scalability
>> >>> reasons? Could you tell me more about why you prefer a client
>> >>> implementation?
>> >> Making client responsible for generating the certificate signing
>> >> request serves several purposes where privacy is one of main benefits:
>> >> access to private key stays at the client side.
>> > I would definitely veto any scheme where the client must send the
>> > private key to the server. I thought the server would generate the CSR,
>> > but then it would be sent to the client for signing ?
>> >
>> > Simo.
>> >
>> The server generates the data and formats it for the helper tool. The
>> helper runs on the client and generates the CSR, with signature. I don't
>> think we were considering signing anything server-side; in this thread I
>> was referring to whether the data should be requested and formatted on
>> the server or client side.
>
>This was my understanding as well, but Alexander's comment startled me,
>thanks for confirming.
Correct. I was commenting by also taking into account current Fedora
situation where your certificate is generated on the server and that it
needs to be provided as well if we want Fedora to use FreeIPA as a
replacement for some of their infrastructure. However, this has nothing
to do with CSR generation as that mode can be simulated on IPA server
locally if really needed (again, because IPA server is own client, so it
has access to all the client infra).
-- 
/ Alexander Bokovoy