On 09/29/2014 01:13 PM, Jan Cholasta wrote: > Dne 29.9.2014 v 12:20 Martin Kosek napsal(a): >> On 09/29/2014 11:11 AM, Jan Cholasta wrote: >>> Dne 29.9.2014 v 05:16 Fraser Tweedale napsal(a): >>>> On Fri, Sep 26, 2014 at 10:44:16AM -0400, Simo Sorce wrote: >>>>> On Fri, 26 Sep 2014 13:54:34 +0200 >>>>> Martin Kosek <mko...@redhat.com> wrote: >>>>> >>>>>>>> I tested the patch (it works fine with Dogtag 10), but I got very >>>>>>>> confused. >>>>>>>> >>>>>>>> What CA option are we setting? Signing algorithm or Key Algorithm? >>>>>>>> I thought we are only setting Signing algorithm, but in that >>>>>>>> case: >>>>>>> >>>>>>> We are setting key algorithm for the CA signing key. >>>>>> >>>>>> That did not made me any less confused... If I check for example >>>>>> fields from certificate details from my browser, I see 2 algorithms >>>>>> names: >>>>>> >>>>>> * Public Key Algorithm (RSA, ECC, ...) >>>>>> * Certificate Signature Algorithm (SHA-1 with RSA, SHA-256 with RSA, >>>>>> something with ECC) >>>>>> >>>>>> In that world, "key algorithm" should really refer to the key PKI >>>>>> algorithm, i.e. RSA, ECC, ... Signature algorithms is where hashes >>>>>> come to play. >>>>>> >>>>>>>> - --ca-key-algorithm option should rather read >>>>>>>> --ca-signing-key-algorithm >>>>>>> >>>>>>> If you want to emphasize that it is actually the algorithm used to >>>>>>> sign the CA certificate, the option should read >>>>>>> --ca-certificate-signature-algorithm, but I would rather stick to >>>>>>> Dogtag terminology and keep the string "key algorithm" in the >>>>>>> name. >>>>>> >>>>>> I still think for most people "key algorithm" refers to Public Key >>>>>> algorithm. Rob or Simo, what is your take on this? >>>>> >>>>> If we are defining the signing algorithm the "signing" string should be >>>>> somewhere in the option. >>>>> Having just --key-algorithm is indeed confusing. >>>>> >>>>> Simo. >>>>> >>>> >>>> My take is that the terminology should be chosen in line with >>>> standards. The X.509 field is called `signatureAlgorithm' so >>>> `--ca-certificate-signature-algorithm' makes sense to me. >>>> Consistency with Dogtag terminology is a secondary consideration >>>> considering FreeIPA users are unlikely to interact directly with >>>> Dogtag much (especially during installation). >>>> >>>> Fraser >>>> >>> >>> I think it actually sets both the key algorithm and the signature algorithm >>> (you can't do a RSA signature with a EC key, etc.), that's probably why it >>> is >>> called "key algorithm" in Dogtag. >> >> Hm, you are right that the key algorithm is implied during signature >> algorithm >> selection. But still, values SHA256withRSA and friends really denote just a >> signature algorithm and the option should be named accordingly. >> >> Martin >> > > Updated patch attached. >
Looks good to me (and works good as well) - ACK. Pushed to master, ipa-4-1. (I just had to do a minor conflict resolution on master branch) Thanks, Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
