On Mon, 2016-07-25 at 18:05 +0300, Alexander Bokovoy wrote:
> >But maybe I'm not seeing the proper priorities here. Perhaps it's
> more 
> >of a problem because clients are easier to update with bugfixes than 
> >the server? Or maybe the preference for the client is for
> scalability 
> >reasons? Could you tell me more about why you prefer a client 
> >implementation?
> Making client responsible for generating the certificate signing
> request serves several purposes where privacy is one of main benefits:
> access to private key stays at the client side.

I would definitely veto any scheme where the client must send the
private key to the server. I thought the server would generate the CSR,
but then it would be sent to the client for signing ?


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to