On Mon, 29 Sep 2014 13:16:07 +1000 Fraser Tweedale <ftwee...@redhat.com> wrote:
> On Fri, Sep 26, 2014 at 10:44:16AM -0400, Simo Sorce wrote: > > On Fri, 26 Sep 2014 13:54:34 +0200 > > Martin Kosek <mko...@redhat.com> wrote: > > > > > >> I tested the patch (it works fine with Dogtag 10), but I got > > > >> very confused. > > > >> > > > >> What CA option are we setting? Signing algorithm or Key > > > >> Algorithm? I thought we are only setting Signing algorithm, > > > >> but in that case: > > > > > > > > We are setting key algorithm for the CA signing key. > > > > > > That did not made me any less confused... If I check for example > > > fields from certificate details from my browser, I see 2 > > > algorithms names: > > > > > > * Public Key Algorithm (RSA, ECC, ...) > > > * Certificate Signature Algorithm (SHA-1 with RSA, SHA-256 with > > > RSA, something with ECC) > > > > > > In that world, "key algorithm" should really refer to the key PKI > > > algorithm, i.e. RSA, ECC, ... Signature algorithms is where hashes > > > come to play. > > > > > > >> - --ca-key-algorithm option should rather read > > > >> --ca-signing-key-algorithm > > > > > > > > If you want to emphasize that it is actually the algorithm used > > > > to sign the CA certificate, the option should read > > > > --ca-certificate-signature-algorithm, but I would rather stick > > > > to Dogtag terminology and keep the string "key algorithm" in the > > > > name. > > > > > > I still think for most people "key algorithm" refers to Public Key > > > algorithm. Rob or Simo, what is your take on this? > > > > If we are defining the signing algorithm the "signing" string > > should be somewhere in the option. > > Having just --key-algorithm is indeed confusing. > > > > Simo. > > > > My take is that the terminology should be chosen in line with > standards. The X.509 field is called `signatureAlgorithm' so > `--ca-certificate-signature-algorithm' makes sense to me. > Consistency with Dogtag terminology is a secondary consideration > considering FreeIPA users are unlikely to interact directly with > Dogtag much (especially during installation). +1 Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
