On Wed, Dec 31, 2014 at 10:34:37PM +0100, Jan Pazdziora wrote:
> 
> > endpoints, or their users, should not be trusted to
> > make updates to DNS zones.  TSIG signed updates from servers are still
> > preferred over authenticated updates from endpoints or users.
> 
> Server has identity just like service, just like user. You can have
> unimportant server and you can have important (admin) user. Ruling
> out authentication

... oops, I seem to have failed to finish this paragraph.

Ruling out authentication of identities means that you give up on
centrally controlled access policies -- something that FreeIPA is
good at, besides just storing identities.

In other words, instead of having increasing number of shared
secrets around your network, it might be useful to adopt the
approach when idenities can get created without many restrictions,
and what you allow those identities to do is what matters.

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to