On Fri, Apr 17, 2015 at 02:08:29PM +0200, Martin Kosek wrote:
> On 04/16/2015 10:03 AM, Fraser Tweedale wrote:
> >Hi everyone,
> >
> >Please review my Certificate Profiles design proposal:
> >http://www.freeipa.org/page/V4/Certificate_Profiles
> >
> >Let me know what is unclear, what needs expansion, and what is plain
> >wrong :)
> >
> >The schema for storing multiple certificates for a principal is
> >still being discussed but I expect it will be agreed soon, and I
> >will add it to the document.
> >
> >I am revising the sub-CAs design proposal and it will soon be
> >published for review as well.
> 1) here did you get this feature template? It is the one that is obsolete
> (header levels, document structure, missing author in the box)... This is
> the right template:
> http://www.freeipa.org/page/Feature_template
I saw you updated the formatting and added the `certprofile-mod`
command - thanks!

> 2) I miss certprofile-find command - to enable Web UI and/or CLI to search
> through existing profiles.
The command will exist, but it is still missing from design page; I
will add it.

> 3) Permissions
> So your plan is to allow different groups use different profiles? So there
> would be for example profiles allowed to all users (something like
> userCattegory:all that we use for HBAC/SUDO)? How do you plan to deal with
> authorization? Will be on a FreeIPA framework level or for example by DS
> ACIs that would simply not show the profiles?
The design is living in the sub-CAs proposal.  The discussion is
ongoing (in another thread).

> 4) Searching for certificates by profile - FEEDBACK REQUIRED
> It would be nice to incorporate this filter to current cert-find command.
I added `cert-find` and the filter.

> 5) Default set of profiles
> Should we also propose a basic set of canned profiles so that I can picture
> what will be the possibilities?
> Would it be something like
> * Server profile
> * Client profile
We will have a set of included profiles:

- The current caIPAserverCert profile (we will rebrand it; "TLS
  Server and Client Profile" or something)
- One for TLS server auth *without* client auth.
- User authentication

I will include this in design page.

> 6) Upgrades
> It may happen that FreeIPA needs to upgrade defaults of a canned profile. It
> would be nice to have a section how it would do it.
Should be trivial; I have added some commentary to design page.

> This is all I could think of so far.
Thanks for your feedback!

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to