On Fri, 26 Sep 2014 13:54:34 +0200 Martin Kosek <mko...@redhat.com> wrote:
> >> I tested the patch (it works fine with Dogtag 10), but I got very > >> confused. > >> > >> What CA option are we setting? Signing algorithm or Key Algorithm? > >> I thought we are only setting Signing algorithm, but in that > >> case: > > > > We are setting key algorithm for the CA signing key. > > That did not made me any less confused... If I check for example > fields from certificate details from my browser, I see 2 algorithms > names: > > * Public Key Algorithm (RSA, ECC, ...) > * Certificate Signature Algorithm (SHA-1 with RSA, SHA-256 with RSA, > something with ECC) > > In that world, "key algorithm" should really refer to the key PKI > algorithm, i.e. RSA, ECC, ... Signature algorithms is where hashes > come to play. > > >> - --ca-key-algorithm option should rather read > >> --ca-signing-key-algorithm > > > > If you want to emphasize that it is actually the algorithm used to > > sign the CA certificate, the option should read > > --ca-certificate-signature-algorithm, but I would rather stick to > > Dogtag terminology and keep the string "key algorithm" in the > > name. > > I still think for most people "key algorithm" refers to Public Key > algorithm. Rob or Simo, what is your take on this? If we are defining the signing algorithm the "signing" string should be somewhere in the option. Having just --key-algorithm is indeed confusing. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
