[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
martbab
freeipa-github-notification at redhat.com
Thu Apr 20 11:21:38 UTC 2017
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
martbab commented:
"""
@abbra I received an interactive review from @HonzaCholasta today and he is not very keen on idea of having ternary (absent/local/external/full) PKINIT configuration. He suggests to only have it absent/off (local implementation)/on and thus drop differentiation between PKINIT configured with IPA CA issued or 3rd party certificates. The main concern here is that the 'local' PKINIT configuration is actually an implementation detail we should not leak to clients, they should be only able to tell if it is configured for them or not.
If you look into the design page, the two states (full/external) behave the same during replica installation and upgrade so the differentiation does not bring much new information to the users. So a simple on/off switch (something like pkinitStatus: off/on) could be enough and it could simplify the transition and UX. What do you think?
"""
See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295692167
More information about the Freeipa-devel
mailing list