[Freeipa-devel] [PATCH] 314 Allow specifying key algorithm of the IPA CA cert in ipa-server-install
Martin Kosek
mkosek at redhat.com
Mon Sep 29 11:45:42 UTC 2014
On 09/29/2014 01:13 PM, Jan Cholasta wrote:
> Dne 29.9.2014 v 12:20 Martin Kosek napsal(a):
>> On 09/29/2014 11:11 AM, Jan Cholasta wrote:
>>> Dne 29.9.2014 v 05:16 Fraser Tweedale napsal(a):
>>>> On Fri, Sep 26, 2014 at 10:44:16AM -0400, Simo Sorce wrote:
>>>>> On Fri, 26 Sep 2014 13:54:34 +0200
>>>>> Martin Kosek <mkosek at redhat.com> wrote:
>>>>>
>>>>>>>> I tested the patch (it works fine with Dogtag 10), but I got very
>>>>>>>> confused.
>>>>>>>>
>>>>>>>> What CA option are we setting? Signing algorithm or Key Algorithm?
>>>>>>>> I thought we are only setting Signing algorithm, but in that
>>>>>>>> case:
>>>>>>>
>>>>>>> We are setting key algorithm for the CA signing key.
>>>>>>
>>>>>> That did not made me any less confused... If I check for example
>>>>>> fields from certificate details from my browser, I see 2 algorithms
>>>>>> names:
>>>>>>
>>>>>> * Public Key Algorithm (RSA, ECC, ...)
>>>>>> * Certificate Signature Algorithm (SHA-1 with RSA, SHA-256 with RSA,
>>>>>> something with ECC)
>>>>>>
>>>>>> In that world, "key algorithm" should really refer to the key PKI
>>>>>> algorithm, i.e. RSA, ECC, ... Signature algorithms is where hashes
>>>>>> come to play.
>>>>>>
>>>>>>>> - --ca-key-algorithm option should rather read
>>>>>>>> --ca-signing-key-algorithm
>>>>>>>
>>>>>>> If you want to emphasize that it is actually the algorithm used to
>>>>>>> sign the CA certificate, the option should read
>>>>>>> --ca-certificate-signature-algorithm, but I would rather stick to
>>>>>>> Dogtag terminology and keep the string "key algorithm" in the
>>>>>>> name.
>>>>>>
>>>>>> I still think for most people "key algorithm" refers to Public Key
>>>>>> algorithm. Rob or Simo, what is your take on this?
>>>>>
>>>>> If we are defining the signing algorithm the "signing" string should be
>>>>> somewhere in the option.
>>>>> Having just --key-algorithm is indeed confusing.
>>>>>
>>>>> Simo.
>>>>>
>>>>
>>>> My take is that the terminology should be chosen in line with
>>>> standards. The X.509 field is called `signatureAlgorithm' so
>>>> `--ca-certificate-signature-algorithm' makes sense to me.
>>>> Consistency with Dogtag terminology is a secondary consideration
>>>> considering FreeIPA users are unlikely to interact directly with
>>>> Dogtag much (especially during installation).
>>>>
>>>> Fraser
>>>>
>>>
>>> I think it actually sets both the key algorithm and the signature algorithm
>>> (you can't do a RSA signature with a EC key, etc.), that's probably why it is
>>> called "key algorithm" in Dogtag.
>>
>> Hm, you are right that the key algorithm is implied during signature algorithm
>> selection. But still, values SHA256withRSA and friends really denote just a
>> signature algorithm and the option should be named accordingly.
>>
>> Martin
>>
>
> Updated patch attached.
>
Looks good to me (and works good as well) - ACK.
Pushed to master, ipa-4-1.
(I just had to do a minor conflict resolution on master branch)
Thanks,
Martin
More information about the Freeipa-devel
mailing list