On Fri, 26 Sep 2014 13:54:34 +0200
Martin Kosek <mko...@redhat.com> wrote:

> >> I tested the patch (it works fine with Dogtag 10), but I got very
> >> confused.
> >>
> >> What CA option are we setting? Signing algorithm or Key Algorithm?
> >> I thought we are only setting Signing algorithm, but in that
> >> case:  
> >
> > We are setting key algorithm for the CA signing key.  
> 
> That did not made me any less confused... If I check for example
> fields from certificate details from my browser, I see 2 algorithms
> names:
> 
> * Public Key Algorithm (RSA, ECC, ...)
> * Certificate Signature Algorithm (SHA-1 with RSA, SHA-256 with RSA,
> something with ECC)
> 
> In that world, "key algorithm" should really refer to the key  PKI
> algorithm, i.e. RSA, ECC, ... Signature algorithms is where hashes
> come to play.
> 
> >> - --ca-key-algorithm option should rather read
> >> --ca-signing-key-algorithm  
> >
> > If you want to emphasize that it is actually the algorithm used to
> > sign the CA certificate, the option should read
> > --ca-certificate-signature-algorithm, but I would rather stick to
> > Dogtag terminology and keep the string "key algorithm" in the
> > name.  
> 
> I still think for most people "key algorithm" refers to Public Key
> algorithm. Rob or Simo, what is your take on this?

If we are defining the signing algorithm the "signing" string should be
somewhere in the option.
Having just --key-algorithm is indeed confusing.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to