On Fri, Apr 17, 2015 at 02:08:29PM +0200, Martin Kosek wrote: > On 04/16/2015 10:03 AM, Fraser Tweedale wrote: > >Hi everyone, > > > >Please review my Certificate Profiles design proposal: > >http://www.freeipa.org/page/V4/Certificate_Profiles > > > >Let me know what is unclear, what needs expansion, and what is plain > >wrong :) > > > >The schema for storing multiple certificates for a principal is > >still being discussed but I expect it will be agreed soon, and I > >will add it to the document. > > > >I am revising the sub-CAs design proposal and it will soon be > >published for review as well. > > 1) here did you get this feature template? It is the one that is obsolete > (header levels, document structure, missing author in the box)... This is > the right template: > http://www.freeipa.org/page/Feature_template > I saw you updated the formatting and added the `certprofile-mod` command - thanks!
> 2) I miss certprofile-find command - to enable Web UI and/or CLI to search > through existing profiles. > The command will exist, but it is still missing from design page; I will add it. > 3) Permissions > So your plan is to allow different groups use different profiles? So there > would be for example profiles allowed to all users (something like > userCattegory:all that we use for HBAC/SUDO)? How do you plan to deal with > authorization? Will be on a FreeIPA framework level or for example by DS > ACIs that would simply not show the profiles? > The design is living in the sub-CAs proposal. The discussion is ongoing (in another thread). > 4) Searching for certificates by profile - FEEDBACK REQUIRED > It would be nice to incorporate this filter to current cert-find command. > I added `cert-find` and the filter. > 5) Default set of profiles > Should we also propose a basic set of canned profiles so that I can picture > what will be the possibilities? > > Would it be something like > * Server profile > * Client profile > We will have a set of included profiles: - The current caIPAserverCert profile (we will rebrand it; "TLS Server and Client Profile" or something) - One for TLS server auth *without* client auth. - User authentication I will include this in design page. > 6) Upgrades > It may happen that FreeIPA needs to upgrade defaults of a canned profile. It > would be nice to have a section how it would do it. > Should be trivial; I have added some commentary to design page. > This is all I could think of so far. > Thanks for your feedback! -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code