[Freeipa-users] Using already running dogtag-instance possible?

[Oliver Burtchen]

Hi Rob,

Am Samstag, 17. April 2010 05:43:15 schrieb Rob Crittenden:
> ...
> I'm not worried about extraneous bug reports. The advantage of a
> bugzilla is it doesn't let me forget things to fix. If you want to be
> cautious you can always report problems on the list and we can address
> them as they come up, either with 1-liner fixes, explanations or bug
> filings. I'm fine with reporting problems on the list as long as real
> problems eventually end up as bugs.
>

Great. So I'll continue to post my observations here on the list. And if you 
say it's worth a bug report, I'll open one.

> ...
> I'm not too keen on asking too many more questions during the
> installation, the biggest problem being if a user decides against using
> dogtag.

Well, I understand the point. But someone can always just press return, if the 
defaults are good.

Other method would be to ask for an "express" or "expert/custom" installation. 
So all the boring questions for experts could be hidden from the "normal" 
user, but the installation is open to be used by more sophisticated users.

> 
> If one uses dogtag we set the subject in a way that regardless of the
> subject in the CSR we just use the CN value. So we have ultimate control
> over the issued subject.
> 
> With the self-signed CA we can only reject certificates that don't match
> what we allow. This isn't very user friendly but is the best we can do
> using the current NSS command-line tools we use for issuing certs. The
> NSS tools provide sort of a poor-man's CA so we do the best we can, it
> just isn't that flexible.
> 

I think it's a well chosen tradeoff for an "all in one system" like freeIPA to 
use the cn-value for internal things, and let the rest (o, ou, e, st, etc.) 
left to the user. Maybe it could be a goal for v3 or v4 to make cn 
customizeable, so every foreign ca could be used.

Best regards,
Oli


-- 
Oliver Burtchen, Berlin