On Mon, 29 Sep 2014 13:16:07 +1000
Fraser Tweedale <ftwee...@redhat.com> wrote:

> On Fri, Sep 26, 2014 at 10:44:16AM -0400, Simo Sorce wrote:
> > On Fri, 26 Sep 2014 13:54:34 +0200
> > Martin Kosek <mko...@redhat.com> wrote:
> > 
> > > >> I tested the patch (it works fine with Dogtag 10), but I got
> > > >> very confused.
> > > >>
> > > >> What CA option are we setting? Signing algorithm or Key
> > > >> Algorithm? I thought we are only setting Signing algorithm,
> > > >> but in that case:  
> > > >
> > > > We are setting key algorithm for the CA signing key.  
> > > 
> > > That did not made me any less confused... If I check for example
> > > fields from certificate details from my browser, I see 2
> > > algorithms names:
> > > 
> > > * Public Key Algorithm (RSA, ECC, ...)
> > > * Certificate Signature Algorithm (SHA-1 with RSA, SHA-256 with
> > > RSA, something with ECC)
> > > 
> > > In that world, "key algorithm" should really refer to the key  PKI
> > > algorithm, i.e. RSA, ECC, ... Signature algorithms is where hashes
> > > come to play.
> > > 
> > > >> - --ca-key-algorithm option should rather read
> > > >> --ca-signing-key-algorithm  
> > > >
> > > > If you want to emphasize that it is actually the algorithm used
> > > > to sign the CA certificate, the option should read
> > > > --ca-certificate-signature-algorithm, but I would rather stick
> > > > to Dogtag terminology and keep the string "key algorithm" in the
> > > > name.  
> > > 
> > > I still think for most people "key algorithm" refers to Public Key
> > > algorithm. Rob or Simo, what is your take on this?
> > 
> > If we are defining the signing algorithm the "signing" string
> > should be somewhere in the option.
> > Having just --key-algorithm is indeed confusing.
> > 
> > Simo.
> > 
> 
> My take is that the terminology should be chosen in line with
> standards.  The X.509 field is called `signatureAlgorithm' so
> `--ca-certificate-signature-algorithm' makes sense to me.
> Consistency with Dogtag terminology is a secondary consideration
> considering FreeIPA users are unlikely to interact directly with
> Dogtag much (especially during installation).

+1

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to