On Wed, Aug 02, 2017 at 09:59:35AM -0400, Rob Crittenden wrote:
> Petr Vobornik via FreeIPA-devel wrote:
> > On Wed, Aug 2, 2017 at 3:30 AM, Fraser Tweedale <ftwee...@redhat.com> wrote:
> >> Hi devs,
> >>
> >> This is at least the second time recently that people needing to
> >> renew service certificates used ``ipa-cacert-manage renew`` (the
> >> wrong command) and either didn't solve the problem or got into a
> >> deeper mess.
> >>
> >> Clearly we have a usability problem here.
> >>
> >> The ipa-cacert-manage(1) man page is clear, but perhaps could use a
> >> prominent statement that it doesn't renew service certs and if
> >> that's all the user needs to do, to use `getcert resubmit` instead.
> > 
> > Right, I think that a lot of people don't understand certificates well
> > and so they don't distinguish CA cert and other cert. So when they see
> > a howto for "CA certificate renewal" they understand "certificate
> > renewal".
> > 
> > From that perspective another possible culprit is also page:
> >   https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
> > 
> >>
> >> But I think better would be to enhance `ipa-cacert-manage renew` to
> >> inspect the current CA certificate and if it has, say, more than 75%
> >> of its validity period still to go, to PROMPT the user to confirm
> >> that renewing the *CA* certificate is really what they wanted to do.
> >>
> >> What do others think of this idea?
> > 
> > I like the idea.
> 
> Honestly, I'd be even harsher. IMHO this is one of those times that
> requires:
> 
> Are you sure? (yes/NO)
> 
> Are you really sure? (yes/NO)
> 
> Really, you want to renew the CA certificate and not some other
> certificate? This is not something to be done lightly? (yes/NO)
> 
> <insert another 72 questions here>
> 
> rob
>
OK, I've filed tickets:

- https://pagure.io/freeipa/issue/7084 (update command with prompts)
- https://pagure.io/freeipa/issue/7085 (manpage)

Thanks,
Fraser
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to