[Freeipa-devel] [PATCH] 314 Allow specifying key algorithm of the IPA CA cert in ipa-server-install
Jan Cholasta
jcholast at redhat.com
Mon Sep 29 09:11:06 UTC 2014
Dne 29.9.2014 v 05:16 Fraser Tweedale napsal(a):
> On Fri, Sep 26, 2014 at 10:44:16AM -0400, Simo Sorce wrote:
>> On Fri, 26 Sep 2014 13:54:34 +0200
>> Martin Kosek <mkosek at redhat.com> wrote:
>>
>>>>> I tested the patch (it works fine with Dogtag 10), but I got very
>>>>> confused.
>>>>>
>>>>> What CA option are we setting? Signing algorithm or Key Algorithm?
>>>>> I thought we are only setting Signing algorithm, but in that
>>>>> case:
>>>>
>>>> We are setting key algorithm for the CA signing key.
>>>
>>> That did not made me any less confused... If I check for example
>>> fields from certificate details from my browser, I see 2 algorithms
>>> names:
>>>
>>> * Public Key Algorithm (RSA, ECC, ...)
>>> * Certificate Signature Algorithm (SHA-1 with RSA, SHA-256 with RSA,
>>> something with ECC)
>>>
>>> In that world, "key algorithm" should really refer to the key PKI
>>> algorithm, i.e. RSA, ECC, ... Signature algorithms is where hashes
>>> come to play.
>>>
>>>>> - --ca-key-algorithm option should rather read
>>>>> --ca-signing-key-algorithm
>>>>
>>>> If you want to emphasize that it is actually the algorithm used to
>>>> sign the CA certificate, the option should read
>>>> --ca-certificate-signature-algorithm, but I would rather stick to
>>>> Dogtag terminology and keep the string "key algorithm" in the
>>>> name.
>>>
>>> I still think for most people "key algorithm" refers to Public Key
>>> algorithm. Rob or Simo, what is your take on this?
>>
>> If we are defining the signing algorithm the "signing" string should be
>> somewhere in the option.
>> Having just --key-algorithm is indeed confusing.
>>
>> Simo.
>>
>
> My take is that the terminology should be chosen in line with
> standards. The X.509 field is called `signatureAlgorithm' so
> `--ca-certificate-signature-algorithm' makes sense to me.
> Consistency with Dogtag terminology is a secondary consideration
> considering FreeIPA users are unlikely to interact directly with
> Dogtag much (especially during installation).
>
> Fraser
>
I think it actually sets both the key algorithm and the signature
algorithm (you can't do a RSA signature with a EC key, etc.), that's
probably why it is called "key algorithm" in Dogtag.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list