[Freeipa-devel] [PATCH] 314 Allow specifying key algorithm of the IPA CA cert in ipa-server-install
Simo Sorce
ssorce at redhat.com
Fri Sep 26 14:44:16 UTC 2014
On Fri, 26 Sep 2014 13:54:34 +0200
Martin Kosek <mkosek at redhat.com> wrote:
> >> I tested the patch (it works fine with Dogtag 10), but I got very
> >> confused.
> >>
> >> What CA option are we setting? Signing algorithm or Key Algorithm?
> >> I thought we are only setting Signing algorithm, but in that
> >> case:
> >
> > We are setting key algorithm for the CA signing key.
>
> That did not made me any less confused... If I check for example
> fields from certificate details from my browser, I see 2 algorithms
> names:
>
> * Public Key Algorithm (RSA, ECC, ...)
> * Certificate Signature Algorithm (SHA-1 with RSA, SHA-256 with RSA,
> something with ECC)
>
> In that world, "key algorithm" should really refer to the key PKI
> algorithm, i.e. RSA, ECC, ... Signature algorithms is where hashes
> come to play.
>
> >> - --ca-key-algorithm option should rather read
> >> --ca-signing-key-algorithm
> >
> > If you want to emphasize that it is actually the algorithm used to
> > sign the CA certificate, the option should read
> > --ca-certificate-signature-algorithm, but I would rather stick to
> > Dogtag terminology and keep the string "key algorithm" in the
> > name.
>
> I still think for most people "key algorithm" refers to Public Key
> algorithm. Rob or Simo, what is your take on this?
If we are defining the signing algorithm the "signing" string should be
somewhere in the option.
Having just --key-algorithm is indeed confusing.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list