[Freeipa-users] Using already running dogtag-instance possible?
Oliver Burtchen
o.burtchen at gmx.de
Mon Apr 19 02:29:57 UTC 2010
Hi Rob,
Am Samstag, 17. April 2010 05:43:15 schrieb Rob Crittenden:
> ...
> I'm not worried about extraneous bug reports. The advantage of a
> bugzilla is it doesn't let me forget things to fix. If you want to be
> cautious you can always report problems on the list and we can address
> them as they come up, either with 1-liner fixes, explanations or bug
> filings. I'm fine with reporting problems on the list as long as real
> problems eventually end up as bugs.
>
Great. So I'll continue to post my observations here on the list. And if you
say it's worth a bug report, I'll open one.
> ...
> I'm not too keen on asking too many more questions during the
> installation, the biggest problem being if a user decides against using
> dogtag.
Well, I understand the point. But someone can always just press return, if the
defaults are good.
Other method would be to ask for an "express" or "expert/custom" installation.
So all the boring questions for experts could be hidden from the "normal"
user, but the installation is open to be used by more sophisticated users.
>
> If one uses dogtag we set the subject in a way that regardless of the
> subject in the CSR we just use the CN value. So we have ultimate control
> over the issued subject.
>
> With the self-signed CA we can only reject certificates that don't match
> what we allow. This isn't very user friendly but is the best we can do
> using the current NSS command-line tools we use for issuing certs. The
> NSS tools provide sort of a poor-man's CA so we do the best we can, it
> just isn't that flexible.
>
I think it's a well chosen tradeoff for an "all in one system" like freeIPA to
use the cn-value for internal things, and let the rest (o, ou, e, st, etc.)
left to the user. Maybe it could be a goal for v3 or v4 to make cn
customizeable, so every foreign ca could be used.
Best regards,
Oli
--
Oliver Burtchen, Berlin
More information about the Freeipa-users
mailing list