[Freeipa-devel] [PATCH] 314 Allow specifying key algorithm of the IPA CA cert in ipa-server-install
Simo Sorce
ssorce at redhat.com
Mon Sep 29 12:48:59 UTC 2014
On Mon, 29 Sep 2014 13:16:07 +1000
Fraser Tweedale <ftweedal at redhat.com> wrote:
> On Fri, Sep 26, 2014 at 10:44:16AM -0400, Simo Sorce wrote:
> > On Fri, 26 Sep 2014 13:54:34 +0200
> > Martin Kosek <mkosek at redhat.com> wrote:
> >
> > > >> I tested the patch (it works fine with Dogtag 10), but I got
> > > >> very confused.
> > > >>
> > > >> What CA option are we setting? Signing algorithm or Key
> > > >> Algorithm? I thought we are only setting Signing algorithm,
> > > >> but in that case:
> > > >
> > > > We are setting key algorithm for the CA signing key.
> > >
> > > That did not made me any less confused... If I check for example
> > > fields from certificate details from my browser, I see 2
> > > algorithms names:
> > >
> > > * Public Key Algorithm (RSA, ECC, ...)
> > > * Certificate Signature Algorithm (SHA-1 with RSA, SHA-256 with
> > > RSA, something with ECC)
> > >
> > > In that world, "key algorithm" should really refer to the key PKI
> > > algorithm, i.e. RSA, ECC, ... Signature algorithms is where hashes
> > > come to play.
> > >
> > > >> - --ca-key-algorithm option should rather read
> > > >> --ca-signing-key-algorithm
> > > >
> > > > If you want to emphasize that it is actually the algorithm used
> > > > to sign the CA certificate, the option should read
> > > > --ca-certificate-signature-algorithm, but I would rather stick
> > > > to Dogtag terminology and keep the string "key algorithm" in the
> > > > name.
> > >
> > > I still think for most people "key algorithm" refers to Public Key
> > > algorithm. Rob or Simo, what is your take on this?
> >
> > If we are defining the signing algorithm the "signing" string
> > should be somewhere in the option.
> > Having just --key-algorithm is indeed confusing.
> >
> > Simo.
> >
>
> My take is that the terminology should be chosen in line with
> standards. The X.509 field is called `signatureAlgorithm' so
> `--ca-certificate-signature-algorithm' makes sense to me.
> Consistency with Dogtag terminology is a secondary consideration
> considering FreeIPA users are unlikely to interact directly with
> Dogtag much (especially during installation).
+1
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list