On Thu, Sep 24, 2015 at 01:19:51PM +0200, Martin Kosek wrote: > On 09/15/2015 03:26 PM, Fraser Tweedale wrote: > > On Tue, Sep 15, 2015 at 02:10:57PM +0200, Martin Kosek wrote: > >> Hi Nathan and others, > >> > >> I am now going through FreeIPA 4.4 items and I am thinking about ECC > >> support in > >> FreeIPA: > >> > >> https://fedorahosted.org/freeipa/ticket/3951 > >> > >> AFAIK, ECC should be already supported in Dogtag. Could you please advise > >> what > >> is the scope of expected changes in FreeIPA? > >> > >> My understanding is that following parts are required: > >> 1) Generating ECC signing certificate for FreeIPA CA. This is not clear to > >> me > >> though, if this task can be easily done during upgrade. > >> > > Lightweight (sub)CAs should allow it easily - once they support > > specifying the key type and size/curve (currently subCAs are > > hardcoded to rsa2048 but the subCAs are still a WIP; there is a > > separate ticket to track it). > > > > There will also be a small amount of work on the IPA side - and > > maybe some on Dogtag side - to allow new installation to use ECC > > root. > > > >  https://fedorahosted.org/pki/ticket/1589 > > > >> 2) Updating FreeIPA Certificate Profiles (which should be now in LDAP) and > >> adding respective EC algorithms support to "signingAlgsAllowed", as noted > >> in > >> https://fedorahosted.org/freeipa/ticket/3951#comment:1. > >> > > Yes, we will need to update the included profiles. I have been > > thinking about how to get more flexibility for profile updates; I > > think versioning profiles is desirable but that will be a separate > > design proposal. > > > > Anyhow, I am happy to own these efforts. > > Ok, thanks you for all the information - please do :-) > I became owner of #3951 and also filed #5323 "Mechanism to update included certprofiles".
Thanks, Fraser > > > > Cheers, > > Fraser > > > >> Is that correct or more is needed to make that working and supported in > >> FreeIPA? > >> > >> -- > >> Martin Kosek <mko...@redhat.com> > >> Supervisor, Software Engineering - Identity Management Team > >> Red Hat Inc. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code