On 9.9.2013 16:05, John Dennis wrote:
On 09/09/2013 10:02 AM, Nalin Dahyabhai wrote:
On Mon, Sep 09, 2013 at 11:17:02AM +0200, Jan Cholasta wrote:
Should each IPA service (LDAP, HTTP, PKINIT) have its own
distinctive set of trusted CAs, or is using one set for everything
good enough? Using distinctive sets would allow granular control
over what CA is trusted for what service (e.g. trust CA1 to issue
certificates for LDAP and HTTP, but trust CA2 only to issue
certificates for HTTP), but I'm not sure how useful that would be in
the real world.
I'd expect it to depend heavily on whether or not you're chaining up to
an external CA. Personally, I'd very much want to keep a different set
of trust anchors for PKINIT in that situation.
If you've got an external CA you still effectively have one trust anchor
that can be revoked because we create a sub-CA from the external CA. Or
perhaps I misunderstood what you were suggesting.
Don't forget about CA-less, you can theoretically have more than one
trust anchor in that case.
Freeipa-devel mailing list