[Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation
Rob Crittenden
rcritten at redhat.com
Mon Jul 25 18:47:23 UTC 2016
Simo Sorce wrote:
> On Mon, 2016-07-25 at 18:05 +0300, Alexander Bokovoy wrote:
>>> But maybe I'm not seeing the proper priorities here. Perhaps it's
>> more
>>> of a problem because clients are easier to update with bugfixes than
>>> the server? Or maybe the preference for the client is for
>> scalability
>>> reasons? Could you tell me more about why you prefer a client
>>> implementation?
>> Making client responsible for generating the certificate signing
>> request serves several purposes where privacy is one of main benefits:
>> access to private key stays at the client side.
>
> I would definitely veto any scheme where the client must send the
> private key to the server. I thought the server would generate the CSR,
> but then it would be sent to the client for signing ?
I doubt any SSL library will let you disconnect CSR generation in this
way (fairly certain not in NSS anyway).
rob
More information about the Freeipa-devel
mailing list