[Freeipa-devel] [PATCH] 314 Allow specifying key algorithm of the IPA CA cert in ipa-server-install
Martin Kosek
mkosek at redhat.com
Fri Sep 26 11:54:34 UTC 2014
On 09/26/2014 01:41 PM, Jan Cholasta wrote:
> Dne 26.9.2014 v 12:02 Martin Kosek napsal(a):
>> On 09/23/2014 11:46 AM, Jan Cholasta wrote:
>>> Dne 6.8.2014 v 18:17 Jan Cholasta napsal(a):
>>>> Dne 6.8.2014 v 14:43 Rob Crittenden napsal(a):
>>>>> Jan Cholasta wrote:
>>>>>> Hi,
>>>>>>
>>>>>> the attached patch fixes
>>>>>> <https://fedorahosted.org/freeipa/ticket/4447>.
>>>>>>
>>>>>
>>>>>
>>>>> + cert_group.add_option("--ca-key-algorithm",
>>>>> dest="ca_key_algorithm",
>>>>> + help="Key algorithm of the IPA CA certificate
>>>>> (default SHA256withRSA)")
>>>>>
>>>>> Why not set the default here rather than later?
>>>>
>>>> CA-related defaults should be internalized in CA-related code IMHO.
>>>>
>>>>>
>>>>> Should the list of options be added to the man page as well?
>>>>
>>>> Sure, why not.
>>>>
>>>>>
>>>>> Do we want to support the MD*-based signing algorithms? I'd think not.
>>>>
>>>> Since the reason this patch exists is to support old and/or broken
>>>> external CAs, I would think yes, but I don't have a strong opinion on
>>>> this.
>>>
>>> Turns out Dogtag does not like them, so I removed them.
>>>
>>>>
>>>>>
>>>>> Seeing the context makes me wonder if we should eventually add options
>>>>> for CA key size and signing alg as well.
>>>>>
>>>>> rob
>>>>>
>>>>
>>>>
>>>
>>> Updated patch attached.
>>>
>>
>> I tested the patch (it works fine with Dogtag 10), but I got very confused.
>>
>> What CA option are we setting? Signing algorithm or Key Algorithm? I
>> thought we are only setting Signing algorithm, but in that case:
>
> We are setting key algorithm for the CA signing key.
That did not made me any less confused... If I check for example fields from
certificate details from my browser, I see 2 algorithms names:
* Public Key Algorithm (RSA, ECC, ...)
* Certificate Signature Algorithm (SHA-1 with RSA, SHA-256 with RSA, something
with ECC)
In that world, "key algorithm" should really refer to the key PKI algorithm,
i.e. RSA, ECC, ... Signature algorithms is where hashes come to play.
>> - --ca-key-algorithm option should rather read --ca-signing-key-algorithm
>
> If you want to emphasize that it is actually the algorithm used to sign the CA
> certificate, the option should read --ca-certificate-signature-algorithm, but I
> would rather stick to Dogtag terminology and keep the string "key algorithm" in
> the name.
I still think for most people "key algorithm" refers to Public Key algorithm.
Rob or Simo, what is your take on this?
>
>> - Dogtag9 update should only set --signing_algorithm and not
>> --key_algorithm
>
> It should not, because then *all* the certificates issued by the CA would use
> that algorithm, instead of just the CA certificate.
Ok.
>
>> - man page should also be updated with proper explanation.
>
> And that would be?
That would be something specifically referring to singing. You can also add a
note when the option can be used. Whether with --external-ca only or with any
CA option.
More information about the Freeipa-devel
mailing list