On Thu, Sep 24, 2015 at 01:19:51PM +0200, Martin Kosek wrote:
> On 09/15/2015 03:26 PM, Fraser Tweedale wrote:
> > On Tue, Sep 15, 2015 at 02:10:57PM +0200, Martin Kosek wrote:
> >> Hi Nathan and others,
> >> I am now going through FreeIPA 4.4 items and I am thinking about ECC
> >> support in
> >> FreeIPA:
> >> https://fedorahosted.org/freeipa/ticket/3951
> >> AFAIK, ECC should be already supported in Dogtag. Could you please advise
> >> what
> >> is the scope of expected changes in FreeIPA?
> >> My understanding is that following parts are required:
> >> 1) Generating ECC signing certificate for FreeIPA CA. This is not clear to
> >> me
> >> though, if this task can be easily done during upgrade.
> > Lightweight (sub)CAs should allow it easily - once they support
> > specifying the key type and size/curve (currently subCAs are
> > hardcoded to rsa2048 but the subCAs are still a WIP; there is a
> > separate ticket to track it).
> > There will also be a small amount of work on the IPA side - and
> > maybe some on Dogtag side - to allow new installation to use ECC
> > root.
> >  https://fedorahosted.org/pki/ticket/1589
> >> 2) Updating FreeIPA Certificate Profiles (which should be now in LDAP) and
> >> adding respective EC algorithms support to "signingAlgsAllowed", as noted
> >> in
> >> https://fedorahosted.org/freeipa/ticket/3951#comment:1.
> > Yes, we will need to update the included profiles. I have been
> > thinking about how to get more flexibility for profile updates; I
> > think versioning profiles is desirable but that will be a separate
> > design proposal.
> > Anyhow, I am happy to own these efforts.
> Ok, thanks you for all the information - please do :-)
I became owner of #3951 and also filed #5323 "Mechanism to update
> > Cheers,
> > Fraser
> >> Is that correct or more is needed to make that working and supported in
> >> FreeIPA?
> >> --
> >> Martin Kosek <mko...@redhat.com>
> >> Supervisor, Software Engineering - Identity Management Team
> >> Red Hat Inc.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code