[Freeipa-devel] [PATCH] 314 Allow specifying key algorithm of the IPA CA cert in ipa-server-install
Jan Cholasta
jcholast at redhat.com
Mon Sep 29 11:13:53 UTC 2014
Dne 29.9.2014 v 12:20 Martin Kosek napsal(a):
> On 09/29/2014 11:11 AM, Jan Cholasta wrote:
>> Dne 29.9.2014 v 05:16 Fraser Tweedale napsal(a):
>>> On Fri, Sep 26, 2014 at 10:44:16AM -0400, Simo Sorce wrote:
>>>> On Fri, 26 Sep 2014 13:54:34 +0200
>>>> Martin Kosek <mkosek at redhat.com> wrote:
>>>>
>>>>>>> I tested the patch (it works fine with Dogtag 10), but I got very
>>>>>>> confused.
>>>>>>>
>>>>>>> What CA option are we setting? Signing algorithm or Key Algorithm?
>>>>>>> I thought we are only setting Signing algorithm, but in that
>>>>>>> case:
>>>>>>
>>>>>> We are setting key algorithm for the CA signing key.
>>>>>
>>>>> That did not made me any less confused... If I check for example
>>>>> fields from certificate details from my browser, I see 2 algorithms
>>>>> names:
>>>>>
>>>>> * Public Key Algorithm (RSA, ECC, ...)
>>>>> * Certificate Signature Algorithm (SHA-1 with RSA, SHA-256 with RSA,
>>>>> something with ECC)
>>>>>
>>>>> In that world, "key algorithm" should really refer to the key PKI
>>>>> algorithm, i.e. RSA, ECC, ... Signature algorithms is where hashes
>>>>> come to play.
>>>>>
>>>>>>> - --ca-key-algorithm option should rather read
>>>>>>> --ca-signing-key-algorithm
>>>>>>
>>>>>> If you want to emphasize that it is actually the algorithm used to
>>>>>> sign the CA certificate, the option should read
>>>>>> --ca-certificate-signature-algorithm, but I would rather stick to
>>>>>> Dogtag terminology and keep the string "key algorithm" in the
>>>>>> name.
>>>>>
>>>>> I still think for most people "key algorithm" refers to Public Key
>>>>> algorithm. Rob or Simo, what is your take on this?
>>>>
>>>> If we are defining the signing algorithm the "signing" string should be
>>>> somewhere in the option.
>>>> Having just --key-algorithm is indeed confusing.
>>>>
>>>> Simo.
>>>>
>>>
>>> My take is that the terminology should be chosen in line with
>>> standards. The X.509 field is called `signatureAlgorithm' so
>>> `--ca-certificate-signature-algorithm' makes sense to me.
>>> Consistency with Dogtag terminology is a secondary consideration
>>> considering FreeIPA users are unlikely to interact directly with
>>> Dogtag much (especially during installation).
>>>
>>> Fraser
>>>
>>
>> I think it actually sets both the key algorithm and the signature algorithm
>> (you can't do a RSA signature with a EC key, etc.), that's probably why it is
>> called "key algorithm" in Dogtag.
>
> Hm, you are right that the key algorithm is implied during signature algorithm
> selection. But still, values SHA256withRSA and friends really denote just a
> signature algorithm and the option should be named accordingly.
>
> Martin
>
Updated patch attached.
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-314.2-Allow-specifying-signing-algorithm-of-the-IPA-CA-cer.patch
Type: text/x-patch
Size: 5931 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140929/47e50e37/attachment.bin>
More information about the Freeipa-devel
mailing list