On Mon, 2016-07-25 at 18:05 +0300, Alexander Bokovoy wrote: > >But maybe I'm not seeing the proper priorities here. Perhaps it's > more > >of a problem because clients are easier to update with bugfixes than > >the server? Or maybe the preference for the client is for > scalability > >reasons? Could you tell me more about why you prefer a client > >implementation? > Making client responsible for generating the certificate signing > request serves several purposes where privacy is one of main benefits: > access to private key stays at the client side.
I would definitely veto any scheme where the client must send the private key to the server. I thought the server would generate the CSR, but then it would be sent to the client for signing ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code