Hi Fraser,

I'm the reviewer for your Sub-CAs and RFC 2818 designs. Let's start with
Sub-CAs first. http://www.freeipa.org/page/V4/Sub-CAs

In general the design is well written -- accurate as usual. I didn't
want to ACK the design with a simple LGTM, so I put myself in the
position of a customer and potential user of Sub-CAs. From the end-users
perspective couple of points in the design doc are either unclear or are
not addressed details.

1) How can I restrict a Sub-CA to a specific key usage or DNS suffix?

The design doc mentions a comment from the puppet community or the
possibility to use a SubCA for short-lived certs for VPN authentication.
As a customer I would like to restrict the KU, EKU and maybe name
constraints, e.g. a SubCA for hosts should be limited to EKU "TLS
webserver auth". Would it be possible to use a custom profile to
generate a SubCA and let users select the profile in ipa ca-add?

2) What is the relationship between Sub-CAs and profiles?

From the design doc it is unclear how cert profiles and Sub-CAs
interact. The certificate profile doc has
http://www.freeipa.org/page/V4/Certificate_Profiles#Schema_2, but that's
too technical. I'm not even sure I fully understand the meaning of the
schema and how memberCa affects profiles.

3) How can I make FreeIPA use a specific Sub-CA in a cert request?

IMO a 1:n relationship between CAs and profiles would make sense. That
way ipa cert-request --profile-id=caVPNCert could automatically select
the VPN Sub-CA.

4) Where is the private key of a Sub-CAs stored locally and how is it

Customers will like to know where Dogtag keeps its crown jewels and how
they are secured.

5) What is the backup and export strategy for a Sub-CA private key?

Similar to 4), customers want/should to backup private keys securely.


Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to