[Freeipa-devel] #5836 [RFE] Allow profile to specify default CA
Fraser Tweedale
ftweedal at redhat.com
Wed May 4 00:21:22 UTC 2016
Continuing the discussion for #5836[1] as requested from triage
session.
[1] https://fedorahosted.org/freeipa/ticket/5836
IMO it is not important for FreeIPA 4.4. It is nice to have but I
doubt it will make it.
Honza suggested it should be the other way around, i.e. CA specifies
default profile rather than profile specifies default CA.
The fact (also raised by Christian) is that multiple profiles may be
used with a single CA, and vice-versa. CA ACLs will govern what
combinations are acceptable.
Thinking from user perspective, there are a couple of things to
consider:
- Currently, to request a particular kind of cert, user must specify
a profile ID.
- It is more natural to ask for a particular profile and have the
request dispatched to a profile-specified default CA, than to ask
for a cert issued by a particular CA, and a CA-specified default
profile will be used.
Given these points, I am strongly in favour of having the profile
indicate the default CA - not the other way around.
Cheers,
Fraser
More information about the Freeipa-devel
mailing list