On 07/25/2016 12:03 PM, Simo Sorce wrote:
On Mon, 2016-07-25 at 18:05 +0300, Alexander Bokovoy wrote:
But maybe I'm not seeing the proper priorities here. Perhaps it's
more
of a problem because clients are easier to update with bugfixes than
the server? Or maybe the preference for the client is for
scalability
reasons? Could you tell me more about why you prefer a client
implementation?
Making client responsible for generating the certificate signing
request serves several purposes where privacy is one of main benefits:
access to private key stays at the client side.
I would definitely veto any scheme where the client must send the
private key to the server. I thought the server would generate the CSR,
but then it would be sent to the client for signing ?

Simo.

The server generates the data and formats it for the helper tool. The helper runs on the client and generates the CSR, with signature. I don't think we were considering signing anything server-side; in this thread I was referring to whether the data should be requested and formatted on the server or client side.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to