On Thu, Sep 24, 2015 at 01:19:51PM +0200, Martin Kosek wrote:
> On 09/15/2015 03:26 PM, Fraser Tweedale wrote:
> > On Tue, Sep 15, 2015 at 02:10:57PM +0200, Martin Kosek wrote:
> >> Hi Nathan and others,
> >>
> >> I am now going through FreeIPA 4.4 items and I am thinking about ECC 
> >> support in
> >> FreeIPA:
> >>
> >> https://fedorahosted.org/freeipa/ticket/3951
> >>
> >> AFAIK, ECC should be already supported in Dogtag. Could you please advise 
> >> what
> >> is the scope of expected changes in FreeIPA?
> >>
> >> My understanding is that following parts are required:
> >> 1) Generating ECC signing certificate for FreeIPA CA. This is not clear to 
> >> me
> >> though, if this task can be easily done during upgrade.
> >>
> > Lightweight (sub)CAs should allow it easily - once they support
> > specifying the key type and size/curve (currently subCAs are
> > hardcoded to rsa2048 but the subCAs are still a WIP; there is a
> > separate ticket[1] to track it).
> > 
> > There will also be a small amount of work on the IPA side - and
> > maybe some on Dogtag side - to allow new installation to use ECC
> > root.
> > 
> > [1] https://fedorahosted.org/pki/ticket/1589
> > 
> >> 2) Updating FreeIPA Certificate Profiles (which should be now in LDAP) and
> >> adding respective EC algorithms support to "signingAlgsAllowed", as noted 
> >> in
> >> https://fedorahosted.org/freeipa/ticket/3951#comment:1.
> >>
> > Yes, we will need to update the included profiles.  I have been
> > thinking about how to get more flexibility for profile updates; I
> > think versioning profiles is desirable but that will be a separate
> > design proposal.
> > 
> > Anyhow, I am happy to own these efforts.
> 
> Ok, thanks you for all the information - please do :-)
> 
I became owner of #3951 and also filed #5323 "Mechanism to update
included certprofiles".

Thanks,
Fraser

> > 
> > Cheers,
> > Fraser
> > 
> >> Is that correct or more is needed to make that working and supported in 
> >> FreeIPA?
> >>
> >> -- 
> >> Martin Kosek <mko...@redhat.com>
> >> Supervisor, Software Engineering - Identity Management Team
> >> Red Hat Inc.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to