On 05/05/2015 08:38 AM, Martin Kosek wrote:
> On 05/04/2015 09:23 PM, Simo Sorce wrote:
>> On Mon, 2015-05-04 at 16:41 +0200, Martin Kosek wrote:
>> So I am fine *not* revoking certs automatically and instead documenting
>> best practices for certs lifecycle management (ie deleting certs when
>> not useful) and how to manually/explicitly revoke certs only when
>> actually compromised (for hosts), or when needed (user leaves
>> organization and may retain a copy of the private key, unlikly when the
>> cert was in a Smart Card which has been returned and wiped).
> Well, makes sense to me. I added a section to the design:
> http://www.freeipa.org/page/V4/User_Certificates#Revocation_of_the_Certificates
> We just need to be cautious here because this would be a change in behavior
> compared to FreeIPA 4.1 and older. Should this be another global/per-profile
> policy setting that administrator could set up?

Honza said it is a good idea off-list (well, thank you!), so I added the
proposal in the design page to make this option part of the per-profile
certificate management policy:


If there are objections, please holler.

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to