[Freeipa-devel] [PATCH] 314 Allow specifying key algorithm of the IPA CA cert in ipa-server-install
Fraser Tweedale
ftweedal at redhat.com
Mon Sep 29 03:16:07 UTC 2014
On Fri, Sep 26, 2014 at 10:44:16AM -0400, Simo Sorce wrote:
> On Fri, 26 Sep 2014 13:54:34 +0200
> Martin Kosek <mkosek at redhat.com> wrote:
>
> > >> I tested the patch (it works fine with Dogtag 10), but I got very
> > >> confused.
> > >>
> > >> What CA option are we setting? Signing algorithm or Key Algorithm?
> > >> I thought we are only setting Signing algorithm, but in that
> > >> case:
> > >
> > > We are setting key algorithm for the CA signing key.
> >
> > That did not made me any less confused... If I check for example
> > fields from certificate details from my browser, I see 2 algorithms
> > names:
> >
> > * Public Key Algorithm (RSA, ECC, ...)
> > * Certificate Signature Algorithm (SHA-1 with RSA, SHA-256 with RSA,
> > something with ECC)
> >
> > In that world, "key algorithm" should really refer to the key PKI
> > algorithm, i.e. RSA, ECC, ... Signature algorithms is where hashes
> > come to play.
> >
> > >> - --ca-key-algorithm option should rather read
> > >> --ca-signing-key-algorithm
> > >
> > > If you want to emphasize that it is actually the algorithm used to
> > > sign the CA certificate, the option should read
> > > --ca-certificate-signature-algorithm, but I would rather stick to
> > > Dogtag terminology and keep the string "key algorithm" in the
> > > name.
> >
> > I still think for most people "key algorithm" refers to Public Key
> > algorithm. Rob or Simo, what is your take on this?
>
> If we are defining the signing algorithm the "signing" string should be
> somewhere in the option.
> Having just --key-algorithm is indeed confusing.
>
> Simo.
>
My take is that the terminology should be chosen in line with
standards. The X.509 field is called `signatureAlgorithm' so
`--ca-certificate-signature-algorithm' makes sense to me.
Consistency with Dogtag terminology is a secondary consideration
considering FreeIPA users are unlikely to interact directly with
Dogtag much (especially during installation).
Fraser
> --
> Simo Sorce * Red Hat, Inc * New York
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list