On 06/11/2014 09:18 PM, Fraser Tweedale wrote:
On Wed, Jun 11, 2014 at 08:55:20AM -0400, John Dennis wrote:
On 06/11/2014 04:02 AM, Fraser Tweedale wrote:
There are other use cases for user certificates, e.g. client
authentication for HTTP or other network services. Perhaps you know
of others - in which case let us know.
802.11 wireless authentication using EAP-TLS
A common discussion on the RADIUS mailing lists is the desire to deploy
using EAP-TLS but the difficulty of provisioning user certs is always
the stumbling block.
Thanks John,
I've created http://www.freeipa.org/page/User_certificate_use_cases
to collect and discuss these use cases.
I think it is important to differ short term and long term certificates
for users.
The long term certificates are used for authentication and signing. They
are put on devices like smart cards. They need to be associated with the
user in the back end. They can be revoked.
The short lived certificates do not need to be recorded on the server
side. They are just issued and since they do not live long there is no
need to record them in the back end or to try to revoke them. This IMO a
crucial difference.
For now we focus on the long living certificates for hosts, services,
devices and short lived certificates for any identity.
IMO long lived certs for users is a separate big use case that we
currently should set aside and solve after we solve the other use cases.
Fraser
--
John
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
