On 09/09/2013 10:02 AM, Nalin Dahyabhai wrote: > On Mon, Sep 09, 2013 at 11:17:02AM +0200, Jan Cholasta wrote: >> Should each IPA service (LDAP, HTTP, PKINIT) have its own >> distinctive set of trusted CAs, or is using one set for everything >> good enough? Using distinctive sets would allow granular control >> over what CA is trusted for what service (e.g. trust CA1 to issue >> certificates for LDAP and HTTP, but trust CA2 only to issue >> certificates for HTTP), but I'm not sure how useful that would be in >> the real world. > > I'd expect it to depend heavily on whether or not you're chaining up to > an external CA. Personally, I'd very much want to keep a different set > of trust anchors for PKINIT in that situation.
If you've got an external CA you still effectively have one trust anchor that can be revoked because we create a sub-CA from the external CA. Or perhaps I misunderstood what you were suggesting. -- John _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel