[Freeipa-devel] #5836 [RFE] Allow profile to specify default CA
Jan Cholasta
jcholast at redhat.com
Thu May 5 06:16:17 UTC 2016
Hi,
On 4.5.2016 02:21, Fraser Tweedale wrote:
> Continuing the discussion for #5836[1] as requested from triage
> session.
>
> [1] https://fedorahosted.org/freeipa/ticket/5836
>
> IMO it is not important for FreeIPA 4.4. It is nice to have but I
> doubt it will make it.
+1
>
> Honza suggested it should be the other way around, i.e. CA specifies
> default profile rather than profile specifies default CA.
>
> The fact (also raised by Christian) is that multiple profiles may be
> used with a single CA, and vice-versa. CA ACLs will govern what
> combinations are acceptable.
>
> Thinking from user perspective, there are a couple of things to
> consider:
>
> - Currently, to request a particular kind of cert, user must specify
> a profile ID.
>
> - It is more natural to ask for a particular profile and have the
> request dispatched to a profile-specified default CA, than to ask
> for a cert issued by a particular CA, and a CA-specified default
> profile will be used.
>
> Given these points, I am strongly in favour of having the profile
> indicate the default CA - not the other way around.
My worry is how will this work when external CA support comes into the
picture (I outlined a possible solution at [1]).
Right now there is only Dogtag, so all profiles work for all CAs, but
once there are different types of CAs, this will no longer be true,
because profiles are inherently CA implementation-specific.
I'm not against profiles having a default CA per-se, I would just like
the design to take the possibility of external CAs into account, so that
it does not create issues for us in the future.
Honza
[1] certmonger everywhere,
<https://www.redhat.com/archives/freeipa-devel/2015-December/msg00475.html>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list