URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

martbab commented:
@abbra I received an interactive review from @HonzaCholasta today and he is not 
very keen on idea of having ternary (absent/local/external/full) PKINIT 
configuration. He suggests to only have it absent/off (local implementation)/on 
and thus drop differentiation between PKINIT configured with IPA CA issued or 
3rd party certificates. The main concern here is that the 'local' PKINIT 
configuration is actually an implementation detail we should not leak to 
clients, they should be only able to tell if it is configured for them or not.

If you look into the design page, the two states (full/external) behave the 
same during replica installation and upgrade so the differentiation does not 
bring much new information to the users. So a simple on/off switch (something 
like pkinitStatus: off/on) could be enough and it could simplify the transition 
and UX. What do you think?

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to