Hi Fraser (and list),

Recently, we have proposed 2 new policies for treating user/host/service
certificates based on the per-profile policy:

a) If certificate is stored in userCertificate attribute
b) If the certificate is stored and object deleted/disabled, if the certificate
should be also revoked

Details in:
http://www.freeipa.org/page/V4/User_Certificates#Configuration

a) is straightforward. However, I was not thinking more about case b). When
object is deleted/disabled, how will framework tell what is the profile to
check the policy?

Will it ask Dogtag via some API call? Or will the profile me stored in the
certificate itself, just like MS CA does for some certificates?

Thanks.

-- 
Martin Kosek <mko...@redhat.com>
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to