On Mon, Sep 09, 2013 at 11:17:02AM +0200, Jan Cholasta wrote: > Should each IPA service (LDAP, HTTP, PKINIT) have its own > distinctive set of trusted CAs, or is using one set for everything > good enough? Using distinctive sets would allow granular control > over what CA is trusted for what service (e.g. trust CA1 to issue > certificates for LDAP and HTTP, but trust CA2 only to issue > certificates for HTTP), but I'm not sure how useful that would be in > the real world.
I'd expect it to depend heavily on whether or not you're chaining up to an external CA. Personally, I'd very much want to keep a different set of trust anchors for PKINIT in that situation. HTH, Nalin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
