On 09/15/2015 03:26 PM, Fraser Tweedale wrote:
> On Tue, Sep 15, 2015 at 02:10:57PM +0200, Martin Kosek wrote:
>> Hi Nathan and others,
>>
>> I am now going through FreeIPA 4.4 items and I am thinking about ECC support 
>> in
>> FreeIPA:
>>
>> https://fedorahosted.org/freeipa/ticket/3951
>>
>> AFAIK, ECC should be already supported in Dogtag. Could you please advise 
>> what
>> is the scope of expected changes in FreeIPA?
>>
>> My understanding is that following parts are required:
>> 1) Generating ECC signing certificate for FreeIPA CA. This is not clear to me
>> though, if this task can be easily done during upgrade.
>>
> Lightweight (sub)CAs should allow it easily - once they support
> specifying the key type and size/curve (currently subCAs are
> hardcoded to rsa2048 but the subCAs are still a WIP; there is a
> separate ticket[1] to track it).
> 
> There will also be a small amount of work on the IPA side - and
> maybe some on Dogtag side - to allow new installation to use ECC
> root.
> 
> [1] https://fedorahosted.org/pki/ticket/1589
> 
>> 2) Updating FreeIPA Certificate Profiles (which should be now in LDAP) and
>> adding respective EC algorithms support to "signingAlgsAllowed", as noted in
>> https://fedorahosted.org/freeipa/ticket/3951#comment:1.
>>
> Yes, we will need to update the included profiles.  I have been
> thinking about how to get more flexibility for profile updates; I
> think versioning profiles is desirable but that will be a separate
> design proposal.
> 
> Anyhow, I am happy to own these efforts.

Ok, thanks you for all the information - please do :-)

> 
> Cheers,
> Fraser
> 
>> Is that correct or more is needed to make that working and supported in 
>> FreeIPA?
>>
>> -- 
>> Martin Kosek <mko...@redhat.com>
>> Supervisor, Software Engineering - Identity Management Team
>> Red Hat Inc.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to