[Freeipa-devel] [PATCH] 314 Allow specifying key algorithm of the IPA CA cert in ipa-server-install

Martin Kosek mkosek at redhat.com
Mon Sep 29 10:20:04 UTC 2014 

On 09/29/2014 11:11 AM, Jan Cholasta wrote:
> Dne 29.9.2014 v 05:16 Fraser Tweedale napsal(a):
>> On Fri, Sep 26, 2014 at 10:44:16AM -0400, Simo Sorce wrote:
>>> On Fri, 26 Sep 2014 13:54:34 +0200
>>> Martin Kosek <mkosek at redhat.com> wrote:
>>>
>>>>>> I tested the patch (it works fine with Dogtag 10), but I got very
>>>>>> confused.
>>>>>>
>>>>>> What CA option are we setting? Signing algorithm or Key Algorithm?
>>>>>> I thought we are only setting Signing algorithm, but in that
>>>>>> case:
>>>>>
>>>>> We are setting key algorithm for the CA signing key.
>>>>
>>>> That did not made me any less confused... If I check for example
>>>> fields from certificate details from my browser, I see 2 algorithms
>>>> names:
>>>>
>>>> * Public Key Algorithm (RSA, ECC, ...)
>>>> * Certificate Signature Algorithm (SHA-1 with RSA, SHA-256 with RSA,
>>>> something with ECC)
>>>>
>>>> In that world, "key algorithm" should really refer to the key  PKI
>>>> algorithm, i.e. RSA, ECC, ... Signature algorithms is where hashes
>>>> come to play.
>>>>
>>>>>> - --ca-key-algorithm option should rather read
>>>>>> --ca-signing-key-algorithm
>>>>>
>>>>> If you want to emphasize that it is actually the algorithm used to
>>>>> sign the CA certificate, the option should read
>>>>> --ca-certificate-signature-algorithm, but I would rather stick to
>>>>> Dogtag terminology and keep the string "key algorithm" in the
>>>>> name.
>>>>
>>>> I still think for most people "key algorithm" refers to Public Key
>>>> algorithm. Rob or Simo, what is your take on this?
>>>
>>> If we are defining the signing algorithm the "signing" string should be
>>> somewhere in the option.
>>> Having just --key-algorithm is indeed confusing.
>>>
>>> Simo.
>>>
>>
>> My take is that the terminology should be chosen in line with
>> standards.  The X.509 field is called `signatureAlgorithm' so
>> `--ca-certificate-signature-algorithm' makes sense to me.
>> Consistency with Dogtag terminology is a secondary consideration
>> considering FreeIPA users are unlikely to interact directly with
>> Dogtag much (especially during installation).
>>
>> Fraser
>>
> 
> I think it actually sets both the key algorithm and the signature algorithm
> (you can't do a RSA signature with a EC key, etc.), that's probably why it is
> called "key algorithm" in Dogtag.

Hm, you are right that the key algorithm is implied during signature algorithm
selection. But still, values SHA256withRSA and friends really denote just a
signature algorithm and the option should be named accordingly.

Martin

More information about the Freeipa-devel mailing list