On 09/09/2013 05:17 AM, Jan Cholasta wrote:
> Another question:
> Should each IPA service (LDAP, HTTP, PKINIT) have its own distinctive
> set of trusted CAs, or is using one set for everything good enough?
> Using distinctive sets would allow granular control over what CA is
> trusted for what service (e.g. trust CA1 to issue certificates for LDAP
> and HTTP, but trust CA2 only to issue certificates for HTTP), but I'm
> not sure how useful that would be in the real world.
That would complicate things quickly. Managing CA certs is already
challenging enough. Exploding this via combinations does not seem to
present enough real value for the complexity.
In the real world most deployments boil down to a single CA and that
trust model been effective. Don't forget you can always revoke any cert
issued by a CA. Having granular control over individual CA's does not
seem to present value, just complications. If your CA is compromised
you've got big things to worry about, having it be 1 in N does not seem
to change that equation radically. If one CA got compromised you've got
a lot of work to do to replace the trusted CA list everywhere. If one is
compromised why aren't the other CA's? Having to update just one CA
trust rather than potentially N is better.
Freeipa-devel mailing list