On 05/05/2015 08:38 AM, Martin Kosek wrote: > On 05/04/2015 09:23 PM, Simo Sorce wrote: >> On Mon, 2015-05-04 at 16:41 +0200, Martin Kosek wrote: ... >> So I am fine *not* revoking certs automatically and instead documenting >> best practices for certs lifecycle management (ie deleting certs when >> not useful) and how to manually/explicitly revoke certs only when >> actually compromised (for hosts), or when needed (user leaves >> organization and may retain a copy of the private key, unlikly when the >> cert was in a Smart Card which has been returned and wiped). > > Well, makes sense to me. I added a section to the design: > http://www.freeipa.org/page/V4/User_Certificates#Revocation_of_the_Certificates > > We just need to be cautious here because this would be a change in behavior > compared to FreeIPA 4.1 and older. Should this be another global/per-profile > policy setting that administrator could set up?
Honza said it is a good idea off-list (well, thank you!), so I added the proposal in the design page to make this option part of the per-profile certificate management policy: http://www.freeipa.org/page/V4/User_Certificates#Configuration If there are objections, please holler. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code