On 09/29/2014 11:11 AM, Jan Cholasta wrote: > Dne 29.9.2014 v 05:16 Fraser Tweedale napsal(a): >> On Fri, Sep 26, 2014 at 10:44:16AM -0400, Simo Sorce wrote: >>> On Fri, 26 Sep 2014 13:54:34 +0200 >>> Martin Kosek <mko...@redhat.com> wrote: >>> >>>>>> I tested the patch (it works fine with Dogtag 10), but I got very >>>>>> confused. >>>>>> >>>>>> What CA option are we setting? Signing algorithm or Key Algorithm? >>>>>> I thought we are only setting Signing algorithm, but in that >>>>>> case: >>>>> >>>>> We are setting key algorithm for the CA signing key. >>>> >>>> That did not made me any less confused... If I check for example >>>> fields from certificate details from my browser, I see 2 algorithms >>>> names: >>>> >>>> * Public Key Algorithm (RSA, ECC, ...) >>>> * Certificate Signature Algorithm (SHA-1 with RSA, SHA-256 with RSA, >>>> something with ECC) >>>> >>>> In that world, "key algorithm" should really refer to the key PKI >>>> algorithm, i.e. RSA, ECC, ... Signature algorithms is where hashes >>>> come to play. >>>> >>>>>> - --ca-key-algorithm option should rather read >>>>>> --ca-signing-key-algorithm >>>>> >>>>> If you want to emphasize that it is actually the algorithm used to >>>>> sign the CA certificate, the option should read >>>>> --ca-certificate-signature-algorithm, but I would rather stick to >>>>> Dogtag terminology and keep the string "key algorithm" in the >>>>> name. >>>> >>>> I still think for most people "key algorithm" refers to Public Key >>>> algorithm. Rob or Simo, what is your take on this? >>> >>> If we are defining the signing algorithm the "signing" string should be >>> somewhere in the option. >>> Having just --key-algorithm is indeed confusing. >>> >>> Simo. >>> >> >> My take is that the terminology should be chosen in line with >> standards. The X.509 field is called `signatureAlgorithm' so >> `--ca-certificate-signature-algorithm' makes sense to me. >> Consistency with Dogtag terminology is a secondary consideration >> considering FreeIPA users are unlikely to interact directly with >> Dogtag much (especially during installation). >> >> Fraser >> > > I think it actually sets both the key algorithm and the signature algorithm > (you can't do a RSA signature with a EC key, etc.), that's probably why it is > called "key algorithm" in Dogtag.
Hm, you are right that the key algorithm is implied during signature algorithm selection. But still, values SHA256withRSA and friends really denote just a signature algorithm and the option should be named accordingly. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
