On Fri, Sep 26, 2014 at 10:44:16AM -0400, Simo Sorce wrote: > On Fri, 26 Sep 2014 13:54:34 +0200 > Martin Kosek <mko...@redhat.com> wrote: > > > >> I tested the patch (it works fine with Dogtag 10), but I got very > > >> confused. > > >> > > >> What CA option are we setting? Signing algorithm or Key Algorithm? > > >> I thought we are only setting Signing algorithm, but in that > > >> case: > > > > > > We are setting key algorithm for the CA signing key. > > > > That did not made me any less confused... If I check for example > > fields from certificate details from my browser, I see 2 algorithms > > names: > > > > * Public Key Algorithm (RSA, ECC, ...) > > * Certificate Signature Algorithm (SHA-1 with RSA, SHA-256 with RSA, > > something with ECC) > > > > In that world, "key algorithm" should really refer to the key PKI > > algorithm, i.e. RSA, ECC, ... Signature algorithms is where hashes > > come to play. > > > > >> - --ca-key-algorithm option should rather read > > >> --ca-signing-key-algorithm > > > > > > If you want to emphasize that it is actually the algorithm used to > > > sign the CA certificate, the option should read > > > --ca-certificate-signature-algorithm, but I would rather stick to > > > Dogtag terminology and keep the string "key algorithm" in the > > > name. > > > > I still think for most people "key algorithm" refers to Public Key > > algorithm. Rob or Simo, what is your take on this? > > If we are defining the signing algorithm the "signing" string should be > somewhere in the option. > Having just --key-algorithm is indeed confusing. > > Simo. >
My take is that the terminology should be chosen in line with standards. The X.509 field is called `signatureAlgorithm' so `--ca-certificate-signature-algorithm' makes sense to me. Consistency with Dogtag terminology is a secondary consideration considering FreeIPA users are unlikely to interact directly with Dogtag much (especially during installation). Fraser > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
