On 09/09/2013 05:17 AM, Jan Cholasta wrote: > Another question: > > Should each IPA service (LDAP, HTTP, PKINIT) have its own distinctive > set of trusted CAs, or is using one set for everything good enough? > Using distinctive sets would allow granular control over what CA is > trusted for what service (e.g. trust CA1 to issue certificates for LDAP > and HTTP, but trust CA2 only to issue certificates for HTTP), but I'm > not sure how useful that would be in the real world.
That would complicate things quickly. Managing CA certs is already challenging enough. Exploding this via combinations does not seem to present enough real value for the complexity. In the real world most deployments boil down to a single CA and that trust model been effective. Don't forget you can always revoke any cert issued by a CA. Having granular control over individual CA's does not seem to present value, just complications. If your CA is compromised you've got big things to worry about, having it be 1 in N does not seem to change that equation radically. If one CA got compromised you've got a lot of work to do to replace the trusted CA list everywhere. If one is compromised why aren't the other CA's? Having to update just one CA trust rather than potentially N is better. -- John _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel