[Freeipa-devel] Multiple CA certificates in LDAP, questions
Jan Cholasta
jcholast at redhat.com
Mon Sep 9 14:39:16 UTC 2013
On 9.9.2013 16:02, John Dennis wrote:
> On 09/09/2013 05:17 AM, Jan Cholasta wrote:
>> Another question:
>>
>> Should each IPA service (LDAP, HTTP, PKINIT) have its own distinctive
>> set of trusted CAs, or is using one set for everything good enough?
>> Using distinctive sets would allow granular control over what CA is
>> trusted for what service (e.g. trust CA1 to issue certificates for LDAP
>> and HTTP, but trust CA2 only to issue certificates for HTTP), but I'm
>> not sure how useful that would be in the real world.
>
> That would complicate things quickly. Managing CA certs is already
> challenging enough. Exploding this via combinations does not seem to
> present enough real value for the complexity.
>
> In the real world most deployments boil down to a single CA and that
> trust model been effective. Don't forget you can always revoke any cert
> issued by a CA. Having granular control over individual CA's does not
> seem to present value, just complications. If your CA is compromised
> you've got big things to worry about, having it be 1 in N does not seem
> to change that equation radically. If one CA got compromised you've got
> a lot of work to do to replace the trusted CA list everywhere. If one is
> compromised why aren't the other CA's? Having to update just one CA
> trust rather than potentially N is better.
I'm not suggesting *controlling* multiple CAs, but being able to manage
what individual external CAs are trusted to do. This is probably only
relevant to CA-less install. When IPA internal CA is installed, there is
just that one CA, which is trusted for everything.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list