On Mon, 2016-07-25 at 12:09 -0400, Ben Lipton wrote:
> On 07/25/2016 12:03 PM, Simo Sorce wrote:
> > On Mon, 2016-07-25 at 18:05 +0300, Alexander Bokovoy wrote:
> >>> But maybe I'm not seeing the proper priorities here. Perhaps it's
> >> more
> >>> of a problem because clients are easier to update with bugfixes than
> >>> the server? Or maybe the preference for the client is for
> >> scalability
> >>> reasons? Could you tell me more about why you prefer a client
> >>> implementation?
> >> Making client responsible for generating the certificate signing
> >> request serves several purposes where privacy is one of main benefits:
> >> access to private key stays at the client side.
> > I would definitely veto any scheme where the client must send the
> > private key to the server. I thought the server would generate the CSR,
> > but then it would be sent to the client for signing ?
> >
> > Simo.
> >
> The server generates the data and formats it for the helper tool. The 
> helper runs on the client and generates the CSR, with signature. I don't 
> think we were considering signing anything server-side; in this thread I 
> was referring to whether the data should be requested and formatted on 
> the server or client side.

This was my understanding as well, but Alexander's comment startled me,
thanks for confirming.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to