Dne 29.9.2014 v 05:16 Fraser Tweedale napsal(a):
On Fri, Sep 26, 2014 at 10:44:16AM -0400, Simo Sorce wrote:
On Fri, 26 Sep 2014 13:54:34 +0200
Martin Kosek <mko...@redhat.com> wrote:

I tested the patch (it works fine with Dogtag 10), but I got very

What CA option are we setting? Signing algorithm or Key Algorithm?
I thought we are only setting Signing algorithm, but in that

We are setting key algorithm for the CA signing key.

That did not made me any less confused... If I check for example
fields from certificate details from my browser, I see 2 algorithms

* Public Key Algorithm (RSA, ECC, ...)
* Certificate Signature Algorithm (SHA-1 with RSA, SHA-256 with RSA,
something with ECC)

In that world, "key algorithm" should really refer to the key  PKI
algorithm, i.e. RSA, ECC, ... Signature algorithms is where hashes
come to play.

- --ca-key-algorithm option should rather read

If you want to emphasize that it is actually the algorithm used to
sign the CA certificate, the option should read
--ca-certificate-signature-algorithm, but I would rather stick to
Dogtag terminology and keep the string "key algorithm" in the

I still think for most people "key algorithm" refers to Public Key
algorithm. Rob or Simo, what is your take on this?

If we are defining the signing algorithm the "signing" string should be
somewhere in the option.
Having just --key-algorithm is indeed confusing.


My take is that the terminology should be chosen in line with
standards.  The X.509 field is called `signatureAlgorithm' so
`--ca-certificate-signature-algorithm' makes sense to me.
Consistency with Dogtag terminology is a secondary consideration
considering FreeIPA users are unlikely to interact directly with
Dogtag much (especially during installation).


I think it actually sets both the key algorithm and the signature algorithm (you can't do a RSA signature with a EC key, etc.), that's probably why it is called "key algorithm" in Dogtag.

Jan Cholasta

Freeipa-devel mailing list

Reply via email to