[Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation
Simo Sorce
simo at redhat.com
Mon Jul 25 16:23:20 UTC 2016
On Mon, 2016-07-25 at 12:09 -0400, Ben Lipton wrote:
> On 07/25/2016 12:03 PM, Simo Sorce wrote:
> > On Mon, 2016-07-25 at 18:05 +0300, Alexander Bokovoy wrote:
> >>> But maybe I'm not seeing the proper priorities here. Perhaps it's
> >> more
> >>> of a problem because clients are easier to update with bugfixes than
> >>> the server? Or maybe the preference for the client is for
> >> scalability
> >>> reasons? Could you tell me more about why you prefer a client
> >>> implementation?
> >> Making client responsible for generating the certificate signing
> >> request serves several purposes where privacy is one of main benefits:
> >> access to private key stays at the client side.
> > I would definitely veto any scheme where the client must send the
> > private key to the server. I thought the server would generate the CSR,
> > but then it would be sent to the client for signing ?
> >
> > Simo.
> >
> The server generates the data and formats it for the helper tool. The
> helper runs on the client and generates the CSR, with signature. I don't
> think we were considering signing anything server-side; in this thread I
> was referring to whether the data should be requested and formatted on
> the server or client side.
This was my understanding as well, but Alexander's comment startled me,
thanks for confirming.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list